Skip to content

Trending tags

FluBot Android malware is spreading fast

Luciano Hernández

30.04.21 4 min. read

A new Android malware called Flubot is spreading in Europe. FluBot steals passwords and login information to your online accounts, personal details, and banking information. The information is used to make payments (or in other words: steal your money), account takeover and online identity theft. FluBot also sends SMS messages to new victims and spreads itself further. All of this is done without the users’ knowledge.  

FluBot has so far been detected mostly in European countries. It’s likely to spread also to the rest of the world if the threat actors behind it aren’t stopped.  

Here’s how FluBot works 

An infected device sends an SMS message that contains a phishing link. The message claims it has been sent by some well-known delivery service, like DHL, UPS, FedEx, Correosor Amazon. 

The message tells there’s a package in delivery and prompts the receiver to install a tracking app to settle the delivery time. Following the provided link, the victim downloadthe malware that is masked using the delivery company’s name and logo.  

FluBot asks for accessibility permission

Once downloaded, the “tracking app” that actually is FluBot, asks for accessibility permissions. If granted, the malware grants itself more extensive app permissions and becomes a system app. Then it can start its work. 

How to remove it 

If FluBot has already infected your Android device, and it has been granted accessibility right, there’s two ways you can remove it.  

First you can use Android Debug Bridge (ADB) to stop the malware from being a system app, after which you can uninstall it. The phone needs to be in developer mode with ADB enabled. Here are the commands to remove the malware from system apps: 

$adb shell pm disable-user <package_name> 

$adb uninstall <package_name> 

If this sounds too techy for you, you can also do a factory reset on your phone, which erases the malware. Here’s how you do a factory reset >> 

Please note that while the versions of FluBot analyzed by F-Secure so far are removed by the ADB method, it is always possible that future version could try to root your device and/or implement persistence mechanisms which wouldn’t necessarily be removed by this method. For this reason, the factory reset is considered the safest option since it deletes all data. 

 

Does F-Secure protect from FluBot? 

F-Secure SAFE Browser detects the phishing website and warns the user to not enter the site.  

FluBot phishing site blocked

If FluBot is installed, F-Secure SAFE detects it and asks the user to uninstall the malicious app.  

 

  Malware posing as FedEx appFluBot uninstallation on F-Secure SAFE

 

While F-Secure SAFE can’t prevent the user from installing the app, it warns very clearly that it is not a good idea to do so. 

Android malware left uninstalled warning

Many thanks to our Tactical Defense team Researcher Catarina de Faria Cristas for the technical analysis behind this post.

How to stay safe from FluBot and other mobile malware  

There should be no illusion about this: mobile phones are not immune to online threats. Malware, phishing, unsafe networks, and other threats for mobile phone users also exist. FluBot is just one of the newest threats out there. Here’s a few things you can do to protect your mobile phone and digital life on the go.

1. Use antivirus for mobile devices

Malware targeting mobile devices is getting more common. While official app stores are not likely to spread malware, you can get infection from other sources. F-Secure SAFE is certified for Android and it helps you keep your phone free of malware. It also secures your online shopping and banking. 

2. Don’t open suspicious links

Check the email address of the sender. Due to the smaller screen space, most mobile email apps show only the name of the sender, not their address. Mobile devices are also used on the go, which makes it easier to fall for phishing scams. Don’t open suspicious links. Remember, no reputable company or authority will ask for personal information through email or SMS.  

3. Avoid shady apps

While there’s no unambiguous way to tell a suspicious app from a genuine app, start by thinking what you use it for. If it’s not necessary, there’s no point in getting it. If it doesn’t work for you, delete it immediately. In case of tracking packages, you can typically do that on the carrier’s website and don’t need a separate app for that. Don’t download apps from unofficial appstores and remember that it’s not a good idea to enable the “Install from Unknown Sources” option. 

4. Don’t give apps unnecessary permissions

Like in FluBot’s case, granting app permissions can enable malware and other suspicious apps to do malicious tasks. It can also lead to data leakage. Always consider what permissions you grant to apps. Why do they need them? 

Read more about this topic: 4 Threats to your mobile security and what to do about them >> 

As an iPhone user, do I have to care about FluBot 

The malware itself isn’t a threat to iPhone users, but the phishing website can still be dangerous. Don’t open any suspicious links and be careful about what personal information you give to online services. The 4 tips provided earlier are useful for iPhone users as well.  

Try F-Secure SAFE mobile security app for free 

To get protected against FluBot and other mobile malware, get F-Secure SAFE on your phone. You can try it for free for 30 days with no credit card required. You can get it to protect your computer as well with the same subscription. SAFE is also part of our all-in-one cyber security package, F-Secure TOTAL, which also includes a secure and fast VPN and a handy password manager with identity protection. It’s all the protection you need for your mobile device. 

Luciano Hernández

30.04.21 4 min. read

Categories

F-Secure SAFE makes it easy to check app permissions - and maybe discover stalkerware apps

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.