FluBot, a widely circulated malware, is still evolving, with new efforts delivering the malware as Flash Player and developers introducing additional features. FluBot is a banking malware for Android that steals credentials by presenting overlay login forms against various banks globally.
Fake security updates, fake Adobe Flash Players, voicemail memos, and imitating parcel delivery alerts are among the smishing (SMS phishing) lures used to spread it. FluBot may steal online banking credentials, transmit or intercept SMS messages (including one-time passwords), and capture screenshots after it has gained access to the device. The malware spreads fast because it leverages the victim’s smartphone to send new smishing messages to all of their contacts.
According to MalwareHunterTeam, new FluBot campaigns are transmitted via SMS messages that ask recipients whether they want to submit a video from their device. CSIRT KNF shared an example of this campaign’s SMS messaging for Polish receivers. When recipients open the attached link, they are sent to a location to download a counterfeit Flash Player APK [VirusTotal], which installs the FluBot malware on their Android device.
To safeguard themselves from malware, Android users should always avoid installing programs from APKs stored on remote sites. This is especially true for well-known businesses such as Adobe, whose programs should only be downloaded from reputable sources.
Version 5.0, which was released in early December 2021, is the most recent major update, whereas version 5.2 was just released a few days ago. The malware developers paid close attention to the DGA (Domain Generation Algorithm) system since it is critical in allowing the actors to operate freely. DGA creates many new C2 domains on the fly, rendering DNS blocklists useless. FluBot’s DGA now employs 30 top-level domains instead of the previous three, and it now includes a command that allows attackers to update the seed remotely.
On the communication side, the new FluBot now connects to the C2 through DNS tunneling over HTTPS, rather than straight HTTPS port 443, as it did previously. FluBot hasn’t deprecated any commands from earlier versions, instead added new ones to expand its capabilities. Go through the F5 Labs report for additional technical insights on how the current version of FluBot works.