Finland’s National Cyber Security Centre (NCSC-FI) has issued a serious alert to warn of a widespread operation to infect Android users with the Flubot financial virus, which is spread via text messages received from hacked smartphones. It is Finland’s second large-scale Flubot campaign this year. The previous set of attacks appeared between June-August 2021, affecting thousands of Fins every day.
Like the last one during the summer, the current spam campaign has a voicemail theme, encouraging the recipients to open a link that will allow them to retrieve a voicemail message or a message from the mobile operator.
Instead of receiving a voicemail, SMS users are led to malicious websites that push APK installers to install the Flubot financial virus on their Android devices. Targets with iPhones or other mobile devices will be sent to other fake and potentially harmful pages, such as phishing landing pages that seek to steal their credit card information.
In a recent notice, the Finnish National Cyber Security Centre stated that approximately 70,000 messages had been exchanged in the previous 24 hours. They predict the number of texts to reach thousands soon if the current campaign is as vigorous as the summer. There have already been dozens of confirmed incidents of corrupted devices.
It is recommended that Android users who get Flubot spam messages should not access the embedded links or download the files supplied via the link to their handsets. Since late 2020, this financial malware (aka Fedex Banker and Cabassous) has been active on affected smartphones, stealing banking passwords, payment information, text messages, and contacts.
Flubot spreads to other Android devices by sending spam text messages to stolen contacts directing them to install malware-ridden programs in the form of APKs. Flubot started deceiving its victims into infecting themselves with false security updates alerts about Flubot infestations last month.
It will try to deceive users into giving extra rights and granting access to the Android Accessibility service once installed on a new device, allowing it to hide and execute harmful actions in the background. It then takes control of the infected device and uses WebView phishing pages overlayed on top of authentic mobile banking and cryptocurrency app interfaces to access the victims’ payment and banking information.
Flubot also reads SMS messages, makes phone calls, and monitors system alerts for app activity, as well as exfiltrating the address book to the command-and-control server (with the contacts then transferred to other Flubot bots for spam distribution).