Netcraft’s researchers analyzed Android banking malware FluBot and have revealed that the number of distribution pages for the Trojan has increased significantly. This suggests that the operation is expanding, researchers say.
Recently, attackers started to display new overlay screens that target banks in Germany and Poland. These were observed only days after the news that FluBot had begun to target Australian banks.
FluBot is usually distributed using text messages containing links to lure pages. These pages are usually hosted on compromised web servers that mimic delivery or voicemail services and trick visitors into downloading the malware.
One scam text reads, “( UPS ) Your package is arriving, track here.” Another: “Your order will be delivered by DX today between 11:26 and 14:26. Track progress.”
Once installed, FluBot uses overlays that mimic financial apps and show fake user interfaces that look like the app’s homepage. The goal is to trick users into entering credentials. Any credentials that a user enters are sent to a server that is controlled by FluBot operators.
Attacks were discovered on the following German banking apps from 10 to 13 August: Consorsbank, N26 — The Mobile Bank, SpardaApp, Sparkasse Ihre mobile Filiale, and VR Banking Classic. These apps have a total of more than 20 million users.
On August 12, 2016, FluBot launched a targeted attack against the following Polish banking apps: Bank Millennium, BNP Paribas GOMobile, Getin Mobile, IKO, mBank PL, Moje ING mobile, plusbank24, and Santander mobile.
As of August, the number of websites that have been involved in the distribution of Flubot APK has increased tenfold.
Upon installation FluBot, the user is asked to grant the app various access permissions. It then proceeds to take over the device and also protects itself from being uninstalled.
The malware then downloads and installs overlays for the victim’s installed apps, and then displays the necessary overlay after a targeted app launches to steal credentials.
Through reverse-engineering and analyzing communication with C2 servers, Netcraft was able to identify the affected applications.
The FluBot malware also uses a domain generation algorithm to generate a list of possible C2 domains and change them over time to prevent analysis. While, each C2 domain points to 10 different compromised servers, which ensures persistent operation of FluBot’s command and control infrastructure.