FluBot, a family of Android malware, is circulating again via SMS messaging, according to authorities in Finland.
The Nordic country’s National Cyber Security Center (NCSC-FI) lately warned that scam messages written in Finnish are being sent in the hope that recipients will click the included link to a website that requests permission to install an application that’s malicious.
“The messages are written in Finnish,” the NCSC-FI explained. “They are written without Scandinavian letters (å, ä and ö) and include, for example, the characters +, /, &, % and @ in illogical places in the text to make it more difficult for telecommunications operators to filter the messages. The theme of the text may be that the recipient has received a voicemail message or a message from their mobile operator.”
NCSC-FI said it detected about 70,000 of these messages over a 24-hour period and has confirmed dozens of infections arising from the malware. The agency’s advice is, unsurprisingly, to not authorize the installation of the malicious Android app.
Those infected are advised to perform a factory reset on their Android device to remove the malware. If iOS users receive FluBot messages and click on the included link, they can expect to be redirected to fraud and phishing sites instead of being prompted to install an app.
Once successfully installed on a device, FluBot can access the contacts list, spam out texts to other users, read messages, steal credit card details and passwords as they are typed into apps, install other applications, and carry out other crooked activity.
FluBot was previously active in Finland in June 2021 and was the subject of an alert at the time.
Don’t look a GriftHorse in the mouth: Trojan trampled 10 million Android devices
But FluBot’s reach extends beyond a single country. In August, the malware was vexing Android users in Australia. In October, authorities in New Zealand warned of a FluBot surge.
“FluBot attempts to steal your banking and credit card information as well your contact list, which it uploads to a server to continue spreading itself,” said CERT NZ. “Once a device has been infected with FluBot it can result in significant financial loss.”
The malware family has also been showing up on various websites, where anyone might encounter the malicious code. Internet services firm Netcraft on Monday said it has identified almost 10,000 websites distributing FluBot malware.
‘[T]hese sites are unwittingly hosting a PHP script that acts as a proxy to a further backend server, allowing otherwise legitimate sites to deliver Android malware to victims,” the company said. “When visited by the intended victim, a ‘lure’ is displayed that implores them to download and install the FluBot malware.”
Among these enticements is the offer of an Android security update to protect against FluBot that is actually – wait for it – just FluBot. Other common lure themes include package delivery notifications and voicemail messages.
Netcraft said the websites distributing FluBot also host legitimate content, leading the company to believe that the website operators are unaware their sites have been subverted. The company speculates that the malware operators are exploiting known vulnerabilities in WordPress to infect websites because the identified sites are all self-hosted WordPress instances. ®
Speaking of Android… ThreatFabric said this month it has identified a bunch of malicious apps, installed 300,000-plus times, available in the Google Play store that can steal people’s online banking credentials. Typically, the app will look legit, then require an update that brings in malicious code. ThreatFabric has listed the names of the applications and other indicators of infection.