Super-spreader FluBot squashed by Europol

Your package is delayed. Click this innocent-looking link to reschedule

FluBot, the super-spreader Android malware that infected tens of thousands of phones globally, has been reportedly squashed by an international law enforcement operation.

In May, Dutch police disrupted the mobile malware's infrastructure, disconnecting thousands of victims' devices from the FluBot network and preventing more than 6.5 million spam text messages propagating the bot from reaching potential victims, according to Finland's National Bureau of Investigation on Wednesday.

The takedown followed a Europol-led investigation that involved law enforcement agencies from Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the US. 

First spotted in December 2020, FluBot picked up steam in 2021 and compromised non-trivial numbers of Android phones worldwide, including more than 70,000 in Spain and Finland. The malware spreads via spam messages telling Android users to click a link to install a malicious app, purporting to be a package-delivery tracker, or asking users to listen to a fake voice message.

"FluBot is a particularly worrying example of 'new malware' because of its capacity to adapt," security firm Bitdefender warned late last year. "Although the method is always the same, the story changes periodically, and it's harder and harder to spot."

First, the scam instructed users to click a link and reschedule a package delivery. But after people caught on, the text message changed and asked users to click a link to view a photo shared by a friend. 

"When this method started flopping, the attackers began sending messages that ironically warned users their phones are infected with the FluBotvirus and they need to take immediate action," Bitdefender noted. And yes, you can guess what happened after users clicked on the fake link. 

Once installed, FluBot asked for accessibility permissions, and the intruders used this access to steal banking app credentials and cryptocurrency wallet details. Plus, the software nasty also stole the smartphone's contacts, and would then send text messages with malicious links to all the phone numbers saved in the device to spread itself further.

While the law enforcement officials say this strain of FluBot is inactive, they also don't know who developed and operated the malware campaign. An investigation is currently ongoing to identify the criminals behind the global operation.

Although the best advice on preventing infection is to not click on any suspicious links sent via text, Europol also lists a couple ways to tell if an app is likely malware:

  • If you tap an app, and it doesn't open (it's likely got nothing to show and hopes you leave it alone)
  • If you try to uninstall an app, and are instead shown an error message

And if you think an app may be malware, it's time to reset the phone to factory settings, they suggest. ®

Other stories you might like

  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading

Biting the hand that feeds IT © 1998–2022