A new form of malware is infecting Android smartphones across the UK and Europe via text message. Read on to know more about it…
Do you have a habit of clicking on links sent to you via SMS? If you answered yes, you should be cautious and think twice before clicking on a random link to track delivery or download something, because that link could cost you money. There have been reports of a new malware called FluBot spreading quickly in the UK under the guise of a package delivery tracker. According to reports, it instructs the victim to click on a weblink to download a “missed package delivery” app.
Many of the messages have been packaged to look like they came from DHL, UPS, Amazon, or the Royal Mail. Customers of network operators such as Three, EE, and Vodafone have also been warned to be aware of the scam.
According to Proofpoint cybersecurity experts, the FluBot Android malware has compromised and spread to 7,000 devices in the United Kingdom alone. As more devices send messages to others, the infection rate will increase exponentially.
The malware campaign in the United Kingdom started with messages from Germany, but was quickly replaced by messages from UK senders, according to Proofpoint data. The malware is rapidly spreading and impacting users in the United Kingdom, Spain, Germany, and Poland.
Observations
FluBot versions 3.7 and 4.0 were reverse-engineered by Proofpoint researchers. They discovered that while both have the same features, their obfuscation and C2 communication differ.
To link to the C2 server, FluBot uses a domain generation algorithm (DGA), which creates a list of domains to try before it finds one that is available. In the event that one of the domains used for C2 communications is blocked or taken down, attackers will easily migrate to another. FluBot version 4.0 customizes the mechanism by using the victim’s Android phone’s language set.
Working Mechanism
The malware, which was first published by the BBC, takes over devices and spies on phones to gather sensitive data such as passwords, banking information, and even the address book, which allows the fake message to be sent to other users in the affected user’s contact book.
The Flubot malware is spread through text messages that claim to be from a delivery company and guide users to a weblink where they can monitor their package’s delivery. The phishing website then instructs users to download an app in order to track their package’s delivery. The app is actually malware that steals data from Android phones that have been infected.
FluBot is spread by text messages purporting to be from a delivery company, requesting that users click a weblink to track package delivery. This phishing website instructs users to download an app in order to track the fake delivery. When an Android user clicks on this phishing weblink, they are taken to a website that redirects users to third-party sites where malicious APK (Android Package File) are downloaded. According to the paper, such files are typically blocked by default to protect users from attacks; however, the fake websites provide users with instructions on how to bypass the security in order to download FluBot malware.
Mitigation
The National Cyber Security Centre (NCSC) in the United Kingdom has provided security guidelines to recognize the malware, and network providers such as Vodafone UK have issued text message on threat alerts to customers. It also instructs users not to create any new accounts in order to prevent their data from being stolen. They should also update their passwords, as the virus might have infected them as well.
Since your passwords and online accounts are now at risk from hackers, one should take the following measures to clean your device. Wait until you’ve cleaned your device before entering your password or logging into any accounts.
Perform a factory reset as soon as possible to clean your device. The procedure varies depending on the system manufacturer and it’s important to remember that if you don’t have backups available, you’ll lose data.
It’s possible that when you set up the device again after the reset, it will ask if you want to recover from a backup. You should stop restoring from any backups you made after installing the software because they will be infected as well.
If you have used a password to log in to any accounts or apps after installing the app, you must change the password. If you’ve used the same passwords for other accounts, you’ll need to update them as well.