Finland warns of Flubot malware heavily targeting Android users

Finland's National Cyber Security Centre (NCSC-FI) has issued a "severe alert" to warn of a massive campaign targeting the country's Android users with Flubot banking malware pushed via text messages sent from compromised devices.

This is the second large-scale Flubot campaign that hit Finland this year, with a previous series of attacks SMS spamming thousands of Fins each day between early June and mid-August 2021.

Just as it happened over the summer, the new spam campaign also uses a voicemail theme, asking the targets to open a link that would allow them to access a voicemail message or message from the mobile operator.

However, the SMS recipients are redirected to malicious sites pushing APK installers to deploy the Flubot banking malware on their Android devices instead of opening a voicemail.

Targets using iPhones or other devices will just get redirected to other fraudulent and likely also malicious pages such as phishing landing pages attempting to phish their credit card details.

"According to our current estimate, approximately 70,000 messages have been sent in the last 24 hours. If the current campaign is as aggressive as the one in the summer, we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected," the Finnish National Cyber Security Centre said in the alert issued on Friday.

"We managed to almost completely eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one, because the previously implemented control measures are not effective," said NCSC-FI information security adviser Aino-Maria Väyrynen.

Android users who receive Flubot spam messages are advised not to open the embedded links or download the files shared via the link to their smartphones.

Be aware of malware spread by SMS

The #FluBot campaign has become active again, and the malware is being spread by SMS. Scam messages written in Finnish are being sent to tens of thousands of people in Finland.https://t.co/TRXQa5Jv9D

— NCSC-FI (@CERTFI) November 26, 2021

Android banking malware goes global

This banking malware (also known as Fedex Banker and Cabassous) has been active since late 2020 and is used to steal banking credentials, payment information, text messages, and contacts from infected devices.

Initially, the botnet mainly targeted Android users from Spain. However, it has now expanded to target additional European countries (Germany, Poland, Hungary, UK, Switzerland) and Australia and Japan in recent months, even though the Catalan police reportedly arrested the gang's leaders back in March.

After infecting an Android device, Flubot spreads to others by spamming text messages to stolen contacts and instructing the targets to install malware-ridden apps in the form of APKs. Last month, Flubot also began tricking its victims into infecting themselves using fake security updates warnings of Flubot infections.

Once deployed on a new device, it will attempt to trick victims into giving additional permissions and grant access to the Android Accessibility service, allowing it to hide and execute malicious tasks in the background.

It then takes over the infected device, gains access to the victims' payment and banking info via webview phishing pages overlayed on top of legitimate mobile banking and cryptocurrency apps' interfaces.

Flubot also exfiltrates the address book to the command-and-control server (with the contacts later sent to other Flubot bots for pushing spam), reads SMS messages, makes phone calls, and monitors system notifications for app activity.

Those who have infected their devices with Flubot malware are recommended to take the following measures:

• Perform a factory reset on the device. If you restore your settings from a backup, make sure you restore from a backup created before the malware was installed.
• If you used a banking application or handled credit card information on the infected device, contact your bank.
• Report any financial losses to the police.
• Reset your passwords on any services you have used with the device. The malware may have stolen your password if you have logged in after you installed the malware.
• Contact your operator, because your subscription may have been used to send text messages subject to a charge. The currently active malware for Android devices spread by sending text messages from infected devices.