FluBot Android Malware

FluBot Android Malware Description

The FluBot Android Malware is spreading across Android devices at a rapid pace as it aims to collect banking and debit/credit card credentials. The threat was discovered by the infosec researchers at the swiss cybersecurity company PRODAFT. According to their estimates, FluBot has already managed to compromise over 60, 000 Android devices located mostly in Spain. Due to the threat's ability to obtain the entire contact list of the infected users, the analysts project that the attackers now have the phone numbers of 11 million users, representing 25% of Spain's total population.

The FluBot Android Malware is distributed via SMS containing manipulative hooks designed to trick the user into clicking the provided link. Then, the unsuspecting Android-user will be taken to a compromised domain hosting the FluBot Android Malware under the guise of legitimate-sounding applications. The applications impersonated by the threat include FedEx, DHL, Correos and Chrome.

Once installed, FluBot will ask the user to grant it access to Android's Accessibility Services. If successful, the threat will then be able to execute a wide range of threatening activities. FluBot could imitate screen taps without the knowledge of the user, read and write SMS, make calls, etc. The threat will download numerous fake login pages for different banking applications and then overlay them on top of the legitimate application through Web view. All information entered by the user will be harvested and transmitted to the Command-and-Control (C2, C&C) server. FluBot also can intercept any One-time passwords (OTPs) or access keys sent by the targeted banking applications to the infected Android device. Having access to the user's entire contact lists allows FluBot to spread itself exponentially by sending threatening SMS from the compromised device.

Even if users know that FluBot is present on their system, deleting the threat could prove to be difficult. Any attempt to uninstall the application will be interrupted by a toast notification stating that 'You can not perform this action on a service system' followed by FluBot forcefully shutting the Settings application immediately. To clean their devices, affected users may need to download an open-source application called malninstall that was created for the purpose of deleting the FluBot Android Malware specifically.