FluBot Android Malware

FluBot: SMS-Based Android Banking Trojan That Masqueraded as Delivery Apps

FluBot is a mobile banking trojan targeting Android devices, designed to steal credentials, intercept SMS messages, and spread via SMS phishing (smishing). First discovered in late 2020, it rapidly became one of the most widespread Android malware campaigns in Europe and beyond. Disguised as apps from DHL, FedEx, and other delivery services, FluBot tricked users into sideloading malicious APKs that granted it broad access to the device.

Introduction to FluBot

FluBot abused Android’s accessibility and notification permissions to steal passwords, credit card numbers, and two-factor codes. It also harvested the victim’s contact list and sent mass SMS messages with fake shipping updates or voicemail alerts to continue its spread. Its infrastructure and capabilities evolved quickly, with frequent updates and shifting geographic targets.

---

1. How FluBot Works

Infection Mechanism:
FluBot spread through:

• SMS messages that claimed to link to a missed package delivery or voicemail
• Clicking the link prompted users to download a fake app APK
• The user was asked to enable permissions including accessibility and SMS, allowing full control

Payload Execution:
Once installed, FluBot:

• Overlaid fake login screens on banking apps to harvest credentials
• Stole SMS messages, including two-factor authentication codes
• Sent infected SMS messages to all contacts in the victim’s address book
• Maintained persistence by hiding the app icon and abusing permissions

---

2. History and Notable Campaigns

Origin and Discovery:
FluBot was first detected in late 2020, with rapid spread across Spain, Germany, the UK, and Australia in 2021. It was attributed to a cybercriminal group, not a state actor.

Notable Campaigns:

• Widespread campaigns disguised as DHL, UPS, and FedEx delivery notices
• Briefly rebranded as “Cabassous” to avoid detection
• Shut down in May 2022 after a global law enforcement takedown coordinated by Europol

---

3. Targets and Impact

Targeted Victims and Sectors:

• Android smartphone users, especially those in Europe and Australia
• Users who sideloaded apps from non-Google sources

Consequences:

• Theft of bank credentials, passwords, SMS codes
• Involuntary involvement in spreading malware to others via SMS
• Data leakage and financial fraud
• Potential for SIM swap or account takeover attacks

---

4. Technical Details

Payload Capabilities:

• Steals:
  • Bank login credentials
  • Credit card numbers
  • SMS messages and contact lists
• Sends fake overlays on top of banking and crypto apps
• Sends SMS spam using the victim’s device and number
• Uses command-and-control server to receive updates and instructions

Evasion Techniques:

• App hides itself from launcher after installation
• Uses misleading app names and icons (e.g., “Voicemail”)
• Requests extensive permissions, especially accessibility services
• Evades detection by disabling Play Protect and avoiding Play Store

---

5. Preventing FluBot Infections

Best Practices:

• Never install APK files from unknown or unsolicited links
• Disable the ability to install apps from “unknown sources”
• Be cautious of SMS messages claiming package deliveries or voicemails
• Keep Android OS and security apps up to date
• Use official app stores and verify sender identities

Recommended Security Tools:

• Mobile antivirus apps with SMS filtering and sideload detection
• Google Play Protect (if not disabled)
• Mobile device management (MDM) tools for enterprise environments

---

6. Detecting and Removing FluBot

Indicators of Compromise (IoCs):

• An app with no icon but full permissions
• Unusual SMS activity or unauthorized text charges
• Suspicious behavior while using banking apps (fake overlays)
• Messages sent from the device without the user’s knowledge

Removal Steps:

1. Boot the phone into safe mode
2. Manually uninstall the malicious app via settings
3. Re-enable Google Play Protect if disabled
4. Reset passwords for any compromised accounts
5. Run a full mobile antivirus scan

Professional Help:
If the infection results in financial loss or broader access compromise, seek help from mobile forensics or your bank's fraud team.

---

7. Response to a FluBot Infection

Immediate Steps:

• Disconnect the device from mobile networks (airplane mode)
• Uninstall the rogue app in safe mode
• Alert contacts that they may have received malicious messages
• Monitor for suspicious transactions or account activity
• Report to local cybercrime authorities if needed

---

8. Legal and Ethical Implications

Legal Considerations:
Sending SMS malware can constitute wire fraud, identity theft, and computer misuse. Victims may be unintentionally spreading malware — raising legal questions depending on intent and jurisdiction.

Ethical Considerations:
FluBot weaponized trust in mobile communications, creating chain-reaction infections by abusing users' contact lists. Its use shows how personal devices can become tools for mass exploitation.

---

9. Resources and References

• Europol press release: FluBot takedown (May 2022)
• The Government of Western Australia: Commissioner's blog — Don’t get infected by FluBot
• Avast Press Center: Avast Sees No End of Parcel Delivery Phishing SMS as New FluBot Samples Emerge Daily
• Bitdefender: What is FluBot and why you need to start taking it seriously right now
• MITRE ATT&CK Techniques:
  • S1067 (FluBot)
  • T1471 (Data Encrypted)
  • T1636.004 (Protected User Data: SMS Messages)
  • T1417.002 (Input Capture: GUI Input Capture)
  • T1437.001 (Application Layer Protocol: Web Protocols)

---

10. FAQs about FluBot

Q: What is FluBot malware?
A mobile banking trojan that spread via SMS, disguised as package tracking or voicemail apps.

Q: How did it infect devices?
By tricking users into installing a fake app from a link in a malicious SMS message.

Q: What did it steal?
Bank credentials, SMS messages, contacts, and crypto wallet data.

Q: Is FluBot still active?
No — it was disrupted in May 2022 by law enforcement, though similar malware may still circulate.

---

11. Conclusion

FluBot was one of the most widespread Android banking trojans, using SMS-based social engineering and aggressive propagation to infect users and steal sensitive data. Though its infrastructure has been dismantled, FluBot remains a case study in how simple mobile malware can escalate into a global threat — and why users should be cautious with unsolicited messages and sideloaded apps.

 

 

« Back to the Virus Information Library

« Back to the Security Center