Finland Hit by Coordinated Wave of FluBot Malware Attacks Spread Using SMS

Late last week, Finnish authorities published a "severe alert" concerning the violent spread of malicious text messages used to distribute the FluBot malware.

The notification came from the Finnish National Cyber Security Centre. The news release warned that anyone using an Android phone in the country and using a mobile subscription to go with it was potentially exposed to the malicious text messages, while iPhone users, while safe from FluBot itself, were redirected to other "fraudulent material".

The hook used to get victims to interact with the malicious texts is usually a fake notification that the user has received either a new voicemail or has an incoming message coming directly from their chosen mobile operator.

The infection is transmitted through a malicious link in the SMS messages. According to Finnish authorities, the link doesn't install the malware automatically, user permission is still requested.

Once FluBot makes its way on an Android phone, it has the ability to steal information from the device, as well as use the phone to send further malicious text messages. Whoever designed the malicious texts was not particularly crafty, because the messages lack characters specific to Scandinavian languages such as umlauts and stressed letters. Additionally, the report mentions that random non-letter characters may be scattered in strange places in the text.

When the campaign was detected, there were already "tens of thousands" of malicious SMS messages sent out and Finnish authorities expect this number to pick up further, as the infection takes over more devices.

Finland already had to deal with one wave of FluBot infections earlier in 2021 and this old campaign was eliminated after mobile operators got onboard and implemented measures. However, according to the news release, the new campaign has found a way to circumvent those measures and is still spreading rapidly.

The images of fraudulent SMS messages provided by Finland's National Cyber Security Centre include plain texts in bad Finnish, as well as an image containing a fake DHL package tracking, similar to a scam that was very popular as early as 2020.