FluBot is a new Android malware first discovered in December 2020. During the first few months, FluBot has been active in Spain, Hungary and Poland. Since then, the development of the malware advanced quickly and the malware has set foot in almost all European countries.
On the 18th of June 2021 FluBot version 4.6 was spotted which added a configuration for Switzerland. As of today it is actively being spamertized through SMS.
FluBot is known by different names. The name “FluBot” is best known because this was the name given in the first public technical writing. Below the reference to the most well known aliases:
- January 2021, ThreatFabric was the first to give it the name “Cabassous” in a Twitter post
- March 2021, ProDaft published a detailed technical report and gave it the name “FluBot”
- April 2021, IBM Trusteer took a deeper look at the different FluBot versions and gave it the name “FakeChat“
FluBot is distributed using smishing (a combination from the words SMS and phishing). The victim receives an SMS with a link to an URL which distributes the APK. The installation is straight forward using sideloading.
If the recipient device is not an Android mobile phone or the fraudster does not want to distribute the malware at that time, the URL redirects the user to a scam website or with the Voicemail lure we have seen a redirection to the Voicemail app from Deutsche Telekom AG on the Google Playstore.
FluBot SMS are typically sent from other infected mobile phones. If the number of infected devices within a country is not very high it has been seen that infected devices from other countries are used to send the SMS.
The SMS text message may vary as do the URLs. Sometimes they talk about parcel delivery using brands such as DHL or UPS. The current campaign in Switzerland uses Voicemail as a lure. The malware distributed in Switzerland from the smishing URLs are currently all FluBot samples. However, this may change as in other countries it has been seen that another well known trojan called Anatsa is dropped instead. See also tweet by ThreatFabric.Continue reading