Super-spreader FluBot squashed by Europol
Your package is delayed. Click this innocent-looking link to reschedule
FluBot, the super-spreader Android malware that infected tens of thousands of phones globally, has been reportedly squashed by an international law enforcement operation.
In May, Dutch police disrupted the mobile malware's infrastructure, disconnecting thousands of victims' devices from the FluBot network and preventing more than 6.5 million spam text messages propagating the bot from reaching potential victims, according to Finland's National Bureau of Investigation on Wednesday.
The takedown followed a Europol-led investigation that involved law enforcement agencies from Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the US.
- It's the flu season – FluBot, that is: Surge of info-stealing Android malware detected
- Don't look a GriftHorse in the mouth: Trojan trampled 10 million Android devices
- Cops' Killer Bee stings credential-stealing scammer
- FBI: Cyber-scams cost victims $6.9b-plus worldwide in 2021
First spotted in December 2020, FluBot picked up steam in 2021 and compromised non-trivial numbers of Android phones worldwide, including more than 70,000 in Spain and Finland. The malware spreads via spam messages telling Android users to click a link to install a malicious app, purporting to be a package-delivery tracker, or asking users to listen to a fake voice message.
"FluBot is a particularly worrying example of 'new malware' because of its capacity to adapt," security firm Bitdefender warned late last year. "Although the method is always the same, the story changes periodically, and it's harder and harder to spot."
First, the scam instructed users to click a link and reschedule a package delivery. But after people caught on, the text message changed and asked users to click a link to view a photo shared by a friend.
"When this method started flopping, the attackers began sending messages that ironically warned users their phones are infected with the FluBotvirus and they need to take immediate action," Bitdefender noted. And yes, you can guess what happened after users clicked on the fake link.
Once installed, FluBot asked for accessibility permissions, and the intruders used this access to steal banking app credentials and cryptocurrency wallet details. Plus, the software nasty also stole the smartphone's contacts, and would then send text messages with malicious links to all the phone numbers saved in the device to spread itself further.
While the law enforcement officials say this strain of FluBot is inactive, they also don't know who developed and operated the malware campaign. An investigation is currently ongoing to identify the criminals behind the global operation.
Although the best advice on preventing infection is to not click on any suspicious links sent via text, Europol also lists a couple ways to tell if an app is likely malware:
- If you tap an app, and it doesn't open (it's likely got nothing to show and hopes you leave it alone)
- If you try to uninstall an app, and are instead shown an error message
And if you think an app may be malware, it's time to reset the phone to factory settings, they suggest. ®