FluBot Android malware crushed by Europol takedown

FluBot, the super-spreader Android malware that infected tens of thousands of phones globally, has reportedly been crushed by an international law enforcement operation.

In May, Dutch police disconnected the mobile malware infrastructure, disconnected thousands of victims’ devices from the FluBot network and prevented more than 6.5 million spam text messages propagating the bot from reaching potential victims, according to Finland’s National Bureau of Investigation on Wednesday.

The dismantling followed a Europol-led investigation involving law enforcement agencies from Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the United States.

FluBot was first discovered in December 2020, gaining momentum in 2021 and compromising non-trivial numbers of Android phones worldwide, including more than 70,000 in Spain and Finland. The malware is spread via spam messages that tell Android users to click on a link to install a malicious app pretending to be a parcel delivery tracker, or asking users to listen to a fake voicemail.

“FluBot is a particularly worrying example of ‘new malware’ because of its ability to adapt,” security firm Bitdefender warned last year. “Although the method is always the same, the story changes from time to time and it’s getting harder and harder to spot.”

First, the scam instructed users to click on a link and reschedule a package delivery. But after people caught it, the text message changed and asked users to click on a link to see a photo shared by a friend.

“As this method began to flop, attackers began sending messages that ironically warned users that their phones were infected with FluBotvirus and that they needed to take immediate action,” Bitdefender noted. And yes, you can guess what happened after users clicked on the fake link.

After installation, FluBot asked for accessibility permissions, and uninvited guests used this access to steal banking app credentials and cryptocurrency wallet details. Plus, the software nasty also stole the contacts of the smartphone, and would then send text messages with malicious links to all phone numbers stored in the device to spread itself further.

Although law enforcement officials say this strain of FluBot is inactive, they also do not know who developed and ran the malware campaign. An investigation is currently underway to identify the criminals behind the global operation.

While the best advice to prevent infection is not to click on suspicious links sent via text, Europol also lists a few ways to tell if an app is likely to be malware:

  • If you tap an app and it does not open (it probably has nothing to show and hope you leave it alone)
  • If you try to uninstall an app and get an error message instead

And if you think an app might be malware, it’s time to reset your phone to factory defaults, they suggest. ®