Posted: April 28, 2021 by Pieter Arntz
Using a proven method of text messages about missed deliveries, an old player on the Android malware stage has returned for an encore. This time it seems to be very active, especially in the UK where Android users are being targeted by text messages containing a link to a particularly nasty piece of spyware called Flubot.
Warning from the National Cyber Security Centre
On its website, the National Cyber Security Centre (NCSC) warns about the spyware that is installed after a victim receives a text message that asks them to install a tracking app, because of a missed package delivery. The tracking app is in fact spyware that steals passwords and other sensitive data. It will also access contact details and send out additional text messages in order to further the spread of the spyware.
Network providers join in
Apparently, the problem is so massive that even network providers have noticed the problem and some of them, including Three and Vodafone have also issued warnings to users over the text message attacks.
Three urges victims that have installed the spyware:
You should be advised that your contacts, SMS messages and online banking details (if present) may have been accessed and that these may now be under the control of the fraudster.
It goes on to tell victims that a factory reset is needed or you will run the risk of exposure to a fraudster accessing your personal data.
Branding of the text messages
Most of the reported messages pretend to be coming from DHL.
But users have also reported Royal Mail and Amazon as the “senders.” Readers should be aware that it isn’t enough to simply watch out for messages from one or two senders though. If the campaign proves successful for the criminals running it, it will evolve and change over time and they will likely try other tactics.
History of Flubot
These types of smishing (SMS phishing) attacks are on the rise the last few years. Previously, Flubot has been noticed operating a fake FedEx website targeting Android users in Germany, Poland, and Hungary in basically the same way. By sending text messages with a parcel tracking URL that led to malware downloads. Initially they operated in Spain (with Correos Express as the sender), until some arrests were made there which slowed the operation down for a while. It would not come as a surprise if the continued success will lead the Flubot operators to target the US next.
Malwarebytes for Android detects the several Flubot variants as Android/Trojan.Bank.Acecard, Android/Trojan.BankBot, or Android/Trojan.Spy.Agent.
As we pointed out the initial attack vector is a text message with a link that downloads the malware. The package names often include
com.tencent and have the delivery service’s logo as the icon. During the install the malware will show you misleading prompts to get installed and acquire the permissions it needs to perform the actions it needs. These permissions allow it to:
- Send messages to your contacts
- Act as spyware and steal information
Depending on the variant, Flubot can also:
- Intercept incoming messages
- Intercept notifications
- Open web pages
- Disable Google Play Protect
- Uninstall other applications
- Contact a Command and Control server based on a Domain Generating Algorithm (DGA)
Unless you know exactly what to look for to determine whether a message is actually coming from the claimed sender, it is better not to click on links in unsolicited text messages. Which is always solid advice, but when you are actually expecting a parcel, the message may not count as unsolicited in your mind.
Our first impulse is often to click and find out what’s up. At the very least, we should stop and ask if the message and the URL stand up to scrutiny. If you think the message is genuine, it is still best not to click on the link, but instead search for the vendor’s website and look for its parcel tracker.
If you did not click the link, simply remove the message from your device so you do not click it by accident in the future.
If you have clicked the link but then stopped because you were suspicious of the fact that it initiated a download, well done. You stopped in time.
If you did download the malware, scan your device with a legitimate Android anti-malware app. If it can’t disinfect your phone, you will need to perform a factory reset to remove it. If you do this, there is a possibility you will lose more than just the malware, unless you have made backups.
You should also change any passwords you stored on the device, and any you entered on the device after the infection began, because they may have been compromised by the spyware.
Finally, if you used the device for online banking, check your bank balances and contact your bank so that they can stop or correct any fraud that results.
Stay safe, everyone!