Watch out - that Android security update may be malware

Phone malware
(Image credit: Shutterstock)
Audio player loading…

The creators of FluBot (opens in new tab) have launched a new campaign that uses fake Android security update warnings to trick potential victims into installing the malware (opens in new tab) on their devices.

In a new blog post (opens in new tab), New Zealand's computer emergency response team Cert NZ has warned users that the message on the malware's new installation page is actually a lure designed to instill a sense of urgency (opens in new tab) that tricks users into installing FluBot on their own devices.

The new FluBot installation page, that users are led to after receiving fake messages about pending or missed package deliveries or even stolen photos uploaded online, informs them that their devices are infected with FluBot which is a form of Android spyware (opens in new tab) used to steal financial login and password data from their devices. However, by installing a new security update, they can remove FluBot from their Android smartphone (opens in new tab).

The page also goes a step further by instructing users to enable the installation of apps from unknown sources on their device. By doing so, the cybercriminals' fake security update can be installed on their device and while a user may think they've taken action to protect against FluBot, they've actually installed the malware on their smartphone themselves.

Changing tactics

Until recently, FluBot was spread to Android smartphones through spam text messages using contacts stolen from devices that were already infected with the malware. These messages would instruct potential victims to install apps on their devices in the form of APKs (opens in new tab) that were delivered by attacker-controlled servers.

Once FluBot has been installed on a user's device, the malware often tries to trick victims into giving it additional permissions as well as granting access to the Android Accessibility (opens in new tab) service that allows it to run in the background and execute other malicious tasks.

FluBot is capable of stealing a user's payment and banking information by using overlay attacks (opens in new tab) where an overlay is placed on top of legitimate banking, payment and cryptocurrency apps. As mentioned before, the malware will also steal a user's contacts to send them phishing messages to help spread FluBot even further.

While FluBot was mainly used to target users in Spain at its onset, its operators have since expanded the campaign to target additional countries in Europe including Germany, Poland, Hungary, UK and Switzerland as well as Australia and Japan in recent months.

Via BleepingComputer (opens in new tab)

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.