October 8th Newsletter
The Flubot malware has switched to a new and likely more effective lure to compromise Android devices, now trying to trick its victims into infecting themselves with the help of fake security updates warning them of Flubot infections.
As New Zealand's computer emergency response team (CERT NZ) warned last Friday, the message on Flubot's new installation page is only a lure designed to instil a sense of urgency and push potential targets to install malicious apps.
"Your device is infected with the FluBot® malware. Android has detected that your device has been infected," the new Flubot installation page says.
"FluBot is an Android spyware that aims to steal financial login and password data from your device. You must install an Android security update to remove FluBot."
Potential victims are also instructed to enable the installation of unknown apps if they're warned that the malicious app cannot be installed on their device.
"If you are seeing this page, it does not mean you are infected with Flubot however if you follow the false instructions from this page, it WILL infect your device," CERT NZ explained.
The SMS messages used to redirect targets to this installation page are about pending or missed parcel deliveries or stolen photos uploaded online.
This banking malware has been active since late 2020, and has been used to steal banking credentials, payment information, text messages, and contacts from compromised devices.
Until now, Flubot spread to other Android phones by spamming text messages to contacts stolen from already infected devices and instructing the targets to install malware-ridden apps in the form of APKs delivered via attacker-controlled servers.
Once deployed via SMS and phishing, the malware will try to trick the victims into giving additional permissions on the phone and grant access to the Android Accessibility service, which allows it to hide and execute malicious tasks in the background.
Flubot will effectively take over the infected device, gaining access to the victims' payment and banking info in the process via downloaded webview phishing page overlayed on top of legitimate mobile banking and cryptocurrency apps' interfaces.
It also harvests and sends the address book to its command-and-control server (with the contacts later sent to other Flubot spam bots), monitors system notifications for app activity, reads SMS messages, and makes phone calls.
FluBot will only infect your phone if the link is clicked and the app is downloaded. Receiving the text does not mean you are infected. Apple phones can also receive the message but cannot be infected.
Make sure the default app-loading settings are on. In Android 8 or later, go to Settings > Apps > Special access > Install unknown apps, and then make sure that "Not allowed" is next to each app name. If you see an "Allowed", tap on the app and toggle off the switch.
In Android 7 or earlier, go to Settings > Security (or Lockscreen and Security), where you'll see an entry labeled "Unknown sources." Make sure it's toggled off.
Click here to subscribe to our premium monthly newsletter and get in-depth cybersecurity tips and analysis of the latest threats and scams. New subscribers also get a free copy of our guide to cybersecurity for small businesses.