Recognizing and guarding against SMS FluBot phishing scams

Recognizing and guarding against SMS FluBot phishing scams
(Image credit: Shutterstock)

In recent weeks, mobile users in several countries have been receiving SMS messages linking to a banking Trojan called “FluBot”. This threat pretends to be from a delivery company and asks users to install a tracking app in order to track the status of the package, but in fact is used to steal credentials and other personal data. At Avast we’re continuing to see new samples of FluBot coming in daily via our mobile threat intelligence platform

About the author

Ondrej David is Malware Analysis Team Leader at Avast.

According to recent research, FluBot so far has already infected 60,000 devices and the total number of phone numbers collected by the attackers was estimated at 11 million by late February/early March.

The first FluBot attacks have been reported weeks ago, and we still see tens of new sample versions evolving every day. At the moment, primary targets of the attacker’s campaign are the U.K., Spain, Italy, Germany, Hungary and Poland. But we expect that the scope of operation may be extended to target other countries in the very near future. The rapid continuation of this campaign shows that it is successful, and users must be made aware of the threat so that they can guard against it.

How FluBot works

FluBot is an example of an SMS-based malware campaign. It spreads by sending SMS messages claiming the recipient has a package delivery and urges them to download a tracking app using the included link. If the recipient clicks on the link, they are taken to a site that offers to download the app. The app is malware that, when installed, steals the victim’s contact information and uploads them to a remote server. This information is later used by the server to send additional messages and further distribute the malicious SMS messages to those contacts.

The malicious app uses an Android component known as Accessibility to monitor the device, and to take control of it. For instance, this enables it to show high priority window overlays; in other words, the malware can show something over anything that's currently on the screen. For example, a fake banking portal displayed over a legitimate banking app activity. If the user enters his or her credentials on that overlay screen, they would risk being stolen.

This component is also exploited by the malware as a self-defense mechanism to cancel any uninstallation attempts by affected users, which makes it difficult to remove from infected devices.

How does a FluBot SMS look?

What makes this malware particularly successful is that it disguises itself as postal/parcel delivery services, using text along the lines of ‘Your parcel is arriving, download the app to track’ or ‘You missed your parcel delivery, download the app to track’, to which a lot of unsuspecting users would easily fall victim. This is especially the case in the current situation where some form of home delivery has become the standard mode of operation for many businesses during the pandemic.

Cybercriminals are taking advantage of trends and current events to make sure they attract as many potential victims as possible. During the pandemic, more people have grown used to online shopping and it is not uncommon to regularly be receiving parcels and packages. Two-thirds of consumers have increased their online shopping activities compared to before the pandemic.

How to protect yourself from FluBot?

First and foremost, install an antivirus solution that prevents threats like FluBot. Also, if you think you already are affected by FluBot, you can install an antivirus app to run a scan on your device to identify the malware. If it is found, it’s advisable you reboot your device to safe mode and uninstall the detected application from there. With this step, all other third party applications will be disabled momentarily too, but they will be active again with the next regular reboot.

If users think they may have been victim of credential theft via this attack, it’s advisable to reset any passwords for services they feel might have been compromised, such as banking and shopping apps.

Users can also protect themselves from FluBot and other mobile phishing attacks by following measures below:

  1. Do not click on links in SMS messages. Especially if a message is asking you to install software or apps on your devices.
  2. Be a skeptic. Err on the side of caution with any suspicious SMS. If you receive a communication you weren’t expecting, it is always best to call the company yourself using the contact information provided on their legitimate website, to confirm the message received. Don’t reply directly to suspicious communication. Always begin a new communication via the company’s official service channels.
  3. Question the message. It is important that you train your eyes to detect phishing messages. These tend to be generic and spread to the masses, as well as automated messages or messages that present an offer that seems too good to be true (i.e. how to win a new smartphone or inherit a large sum of money from an unknown family member).
  4. Do not install apps from anywhere but the official app stores. Most major shipping companies have their own apps available for download at trusted stores like Google Play or the Apple App Store. Also, set your mobile device’s security to only install apps from trusted sources like Google Play or the Apple App Store.

Awareness is the key for defending users against phishing scams such as FluBot, and at a time when many are distracted by world events it is understandable to see a rise in successful attacks. At Avast, we are committed to empowering people with tools to protect themselves against these threats and are working to make the internet a safe place for everyone.

Ondrej David is Malware Analysis Team Leader at Avast.