A Swiss cybersecurity company PRODAFT reported that newly discovered FluBot Android malware is impersonating an Android mobile banking application to draw fake webview on its target applications and steal users’ private information.
FluBot Malware Spreading Through SMS
According to researchers, the malware primarily focuses on stealing credit card details or online banking credentials, apart from personal data. It is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMS messages, and transmit the phone’s complete contact list to its control center.
Researchers have named it FluBot because of the flu-like method in which it grows and spreads.
How it Steals Information?
FluBot infects Android devices by appearing as FedEx, DHL, Correos, and Chrome application and forces the unsuspecting user to change the Accessibility settings on the device so that it could maintain persistence on the device.
One of the examples of how the malware hides behind phone apps:
Additionally, it downloads fake login screens of various famous banks, which leaves little room for suspicion. When the use enters their login details on the fake pages, the data is immediately sent to the malware’s control center, and malware operators can easily exploit it.
FluBot can Intercept OTPs:
FluBot malware intercepts all banking-related OTPs (one-time passwords) by replacing the default SMS app on the targeted device. Hence, it becomes capable of receiving access keys sent via SMS.
Moreover, it sends similar SMS messages to other contacts to lure them into downloading the fake app.
Malware has infected over 60,000 Android Devices:
Within just two months, the FluBot malware strain has infected over 60,000 devices. Around 97 percent of its victims are located in Spain. Moreover, it has access to mobile phone numbers of around 11 million Spanish users, which makes up around 25% of the country’s population.
PRODAFT researchers noted [PDF] that the malware might collect all Spanish phone numbers if it isn’t stopped in time. This explosion in infection number is because it has a worm-like mechanism that allows the malware operator to get the victim’s entire contact list. Using the SMS load distribution method, the malware sends SMS spam to other contacts.
How to remove it?
After getting access to Accessibility services, the user cannot uninstall it. When they try to uninstall it, a message pops up that reads:
“You can not perform this action on a service system,” and the Settings app is force-closed. The best way to remove FluBot from the device, linuxct developed an open-source app called malninstall is your best bet.