Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FluBot Android Malware Expected to Start Targeting U.S.

The FluBot Android malware is spreading fast across Europe using an SMS package delivery scheme and it’s soon expected to arrive in the United States as well, cybersecurity company Proofpoint warned this week.

The FluBot Android malware is spreading fast across Europe using an SMS package delivery scheme and it’s soon expected to arrive in the United States as well, cybersecurity company Proofpoint warned this week.

Initially observed in Spain, FluBot has since expanded operations to reach Germany, Hungary, Italy, Poland, and the UK as well, with tens of thousands of malicious SMS messages that leverage FedEx, DHL, and Correos lures being sent hourly.

The malware is believed to have made over 7,000 victims in the UK alone, where the campaign operators were using more than 700 unique domains for the distribution of FluBot.

Proofpoint says that U.S. users have already started receiving German and English-language phishing SMS messages, suggesting that the threat actor is getting ready to expand to this country. The pattern is similar to how the attacks started in the UK, where users first received German messages and only then English ones.

The attack starts with the victim receiving a SMS message supposedly arriving from a delivery service, which includes links to compromised sites. When clicking the link, the victim is prompted to download a malicious app featuring the delivery service’s logo, but which has FluBot embedded within.

The application requires user interaction to gain privileges to use Android Accessibility Service, as well as for Notification access. Once it has received the necessary permissions, FluBot gains access to the entire device, acting “as spyware, SMS spammer, and credit card and banking credential stealers,” Proofpoint explains.

FluBot also sends the victim’s contact list to the command and control (C&C) server, to spread further, and can intercept SMS messages, USSD messages from service providers, and app notifications. It can also open pages in the browser, disable Google Play Protect, open a SOCKS connection for C&C communication, and uninstall applications.

Furthermore, the malware can display overlays for various banking apps, as well as for Google Play verification, and can validate captured credit card numbers locally and only then send them to the C&C.

“FluBot is likely to continue to spread at a fairly rapid rate, moving methodically from country to country via a conscious effort by the threat actors. As long as there are users willing to trust an unexpected SMS message and follow the threat actors’ provided instructions and prompts, campaigns such as these will be successful,” Proofpoint concludes.

Related: Massive Android Botnet Hits Smart TV Ad Ecosystem

Related: Recently Patched Android Vulnerability Exploited in Attacks

Related: Fake Netflix App Luring Android Users to Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.