FluBot is gaining momentum and spreading quickly through Android devices stealing personal information like passwords and bank details. It is capable of infecting other devices by abusing the victim’s contacts.
A malware campaign with FluBot starts with a text message claiming to be about a package delivery via DHL, Asda, Amazon, or Argos. When users click a link to track a package, the phishing site offers to install a fake application to follow the delivery. The app contains malware stealing information from infected Android phones.
Three and Vodafone have issued warnings to their users about FluBot, while the UK’s National Cyber Security Centre (NCSC) has issued guidance on how to remove FluBot.
Once installed, FluBot steals the victim’s address book to send similar text messages to more victims further spreading itself. It’s this mechanism of using contact lists that is allowing FluBot to spread quickly.
Once installed, FluBot tries to obtain the necessary permissions from the victim to access and steal sensitive information – passwords, bank details, and other personal information.
So far, the malware only infected Android devices, but iOS users should also watch out for text malicious messages about delivery as phishing operators could still repurpose their campaign to be used to steal personal information from Apple device users.
The NCSC has urged to forward such suspicious messages to number 7726, a free spam-reporting service, and delete them.
Users who’ve already clicked the link by mistake and downloaded the app are advised not to login to any online accounts and promptly perform a factory reset of the device and then restore the data on their devices via backups. An important caveat here is not to restore from backups made after FluBot malware was installed.
As a final measure, users should change all passwords for online and app accounts they’ve logged in to since installing the fake app.
