The FluBot Android malware is spreading fast across Europe using an SMS package delivery scheme and it’s soon expected to arrive in the United States as well, cybersecurity company Proofpoint warned this week.
Initially observed in Spain, FluBot has since expanded operations to reach Germany, Hungary, Italy, Poland, and the UK as well, with tens of thousands of malicious SMS messages that leverage FedEx, DHL, and Correos lures being sent hourly.
The malware is believed to have made over 7,000 victims in the UK alone, where the campaign operators were using more than 700 unique domains for the distribution of FluBot.
Proofpoint says that U.S. users have already started receiving German and English-language phishing SMS messages, suggesting that the threat actor is getting ready to expand to this country. The pattern is similar to how the attacks started in the UK, where users first received German messages and only then English ones.
The attack starts with the victim receiving a SMS message supposedly arriving from a delivery service, which includes links to compromised sites. When clicking the link, the victim is prompted to download a malicious app featuring the delivery service’s logo, but which has FluBot embedded within.
The application requires user interaction to gain privileges to use Android Accessibility Service, as well as for Notification access. Once it has received the necessary permissions, FluBot gains access to the entire device, acting “as spyware, SMS spammer, and credit card and banking credential stealers,” Proofpoint explains.
FluBot also sends the victim’s contact list to the command and control (C&C) server, to spread further, and can intercept SMS messages, USSD messages from service providers, and app notifications. It can also open pages in the browser, disable Google Play Protect, open a SOCKS connection for C&C communication, and uninstall applications.
Furthermore, the malware can display overlays for various banking apps, as well as for Google Play verification, and can validate captured credit card numbers locally and only then send them to the C&C.
“FluBot is likely to continue to spread at a fairly rapid rate, moving methodically from country to country via a conscious effort by the threat actors. As long as there are users willing to trust an unexpected SMS message and follow the threat actors’ provided instructions and prompts, campaigns such as these will be successful,” Proofpoint concludes.