Connect with us

Hi, what are you looking for?



FluBot Android Malware Expected to Start Targeting U.S.

The FluBot Android malware is spreading fast across Europe using an SMS package delivery scheme and it’s soon expected to arrive in the United States as well, cybersecurity company Proofpoint warned this week.

The FluBot Android malware is spreading fast across Europe using an SMS package delivery scheme and it’s soon expected to arrive in the United States as well, cybersecurity company Proofpoint warned this week.

Initially observed in Spain, FluBot has since expanded operations to reach Germany, Hungary, Italy, Poland, and the UK as well, with tens of thousands of malicious SMS messages that leverage FedEx, DHL, and Correos lures being sent hourly.

The malware is believed to have made over 7,000 victims in the UK alone, where the campaign operators were using more than 700 unique domains for the distribution of FluBot.

Proofpoint says that U.S. users have already started receiving German and English-language phishing SMS messages, suggesting that the threat actor is getting ready to expand to this country. The pattern is similar to how the attacks started in the UK, where users first received German messages and only then English ones.

The attack starts with the victim receiving a SMS message supposedly arriving from a delivery service, which includes links to compromised sites. When clicking the link, the victim is prompted to download a malicious app featuring the delivery service’s logo, but which has FluBot embedded within.

The application requires user interaction to gain privileges to use Android Accessibility Service, as well as for Notification access. Once it has received the necessary permissions, FluBot gains access to the entire device, acting “as spyware, SMS spammer, and credit card and banking credential stealers,” Proofpoint explains.

FluBot also sends the victim’s contact list to the command and control (C&C) server, to spread further, and can intercept SMS messages, USSD messages from service providers, and app notifications. It can also open pages in the browser, disable Google Play Protect, open a SOCKS connection for C&C communication, and uninstall applications.

Advertisement. Scroll to continue reading.

Furthermore, the malware can display overlays for various banking apps, as well as for Google Play verification, and can validate captured credit card numbers locally and only then send them to the C&C.

“FluBot is likely to continue to spread at a fairly rapid rate, moving methodically from country to country via a conscious effort by the threat actors. As long as there are users willing to trust an unexpected SMS message and follow the threat actors’ provided instructions and prompts, campaigns such as these will be successful,” Proofpoint concludes.

Related: Massive Android Botnet Hits Smart TV Ad Ecosystem

Related: Recently Patched Android Vulnerability Exploited in Attacks

Related: Fake Netflix App Luring Android Users to Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...