Android malware with worm-like capabilities FluBot has been impersonating Android mobile banking applications and mail operators to open fake pages on its target applications and steal users’ private information. It reportedly infected over 60,000 devices so far.
A Swiss cybersecurity company PRODAFT detailed the findings in a report [PDF] published last Friday and prompted the cybersecurity community to stop the advance of the malware.
Originally discovered by ThreatFabric in January 2021, the malware primarily steals credit card details or online banking credentials, but also personal data. Attackers deliver it via an SMS. From there, it mimics a well-known Chrome application to gain trust and tricks the user into change the Accessibility settings on the device so that the malware could maintain persistence.
In the past, FluBot presented itself to Android device users as well-known mail operators such as FedEx, DHL, and Correos. But it also faked login screens of various banks.
Once successfully deployed, it can eavesdrop on incoming notifications, read or write SMS messages, and even make calls. It will also leak the phone’s complete contact list to its operator(s).
Because of the flu-like method of spreading, the researchers named it FluBot. By replacing the default SMS app on the victim’s device FluBot intercepts all banking-related one-time passwords (OTPs). Having hijacked the device, attackers can send phishing SMS messages to the victim’s contacts with a link to download the malicious app.
According to the researchers, within the past two months, FluBot has infected over 60,000 devices with 97% of them located in Spain. By stealing victims’ entire contact lists, the attackers got their hands on phone numbers of around 11 million Spanish users, which is about 25% of the country’s population.
Researchers say after the malware gets access to Accessibility services, the victim cannot uninstall it. The best way to remove FluBot, researchers advise, is with an open-source app called malninstall developed by linuxct.