Recognizing and guarding against SMS FluBot phishing scams

How to guard against SMS phishing scams

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

In recent weeks, mobile users in several countries have been receivingSMSmessages linking to a banking Trojan called “FluBot”. This threat pretends to be from a delivery company and asks users to install atracking appin order to track the status of the package, but in fact is used to steal credentials and other personaldata. At Avast we’re continuing to see new samples of FluBot coming in daily via our mobile threat intelligence platform apklab.io.

Ondrej David is Malware Analysis Team Leader atAvast.

According to recent research, FluBot so far has already infected 60,000 devices and the total number of phone numbers collected by the attackers was estimated at 11 million by late February/early March.

The first FluBot attacks have been reported weeks ago, and we still see tens of new sample versions evolving every day. At the moment, primary targets of the attacker’s campaign are the U.K., Spain, Italy, Germany, Hungary and Poland. But we expect that the scope of operation may be extended to target other countries in the very near future. The rapid continuation of this campaign shows that it is successful, and users must be made aware of the threat so that they can guard against it.

How FluBot works

How FluBot works

FluBot is an example of an SMS-basedmalwarecampaign. It spreads by sending SMS messages claiming the recipient has a package delivery and urges them to download a trackingappusing the included link. If the recipient clicks on the link, they are taken to a site that offers to download the app. The app is malware that, when installed, steals the victim’s contact information and uploads them to a remote server. This information is later used by the server to send additional messages and further distribute the malicious SMS messages to those contacts.

The malicious app uses an Android component known as Accessibility to monitor the device, and to take control of it. For instance, this enables it to show high priority window overlays; in other words, the malware can show something over anything that’s currently on the screen. For example, a fake banking portal displayed over a legitimate banking app activity. If the user enters his or her credentials on that overlay screen, they would risk being stolen.

This component is also exploited by the malware as a self-defense mechanism to cancel any uninstallation attempts by affected users, which makes it difficult to remove from infected devices.

How does a FluBot SMS look?

How does a FluBot SMS look?

What makes this malware particularly successful is that it disguises itself as postal/parcel delivery services, using text along the lines of ‘Your parcel is arriving, download the app to track’ or ‘You missed your parcel delivery, download the app to track’, to which a lot of unsuspecting users would easily fall victim. This is especially the case in the current situation where some form of home delivery has become the standard mode of operation for many businesses during the pandemic.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Cybercriminals are taking advantage of trends and current events to make sure they attract as many potential victims as possible. During the pandemic, more people have grown used to online shopping and it is not uncommon to regularly be receiving parcels and packages. Two-thirds of consumers have increased their online shopping activities compared to before the pandemic.

How to protect yourself from FluBot?

First and foremost, install anantivirussolution that prevents threats like FluBot. Also, if you think you already are affected by FluBot, you can install an antivirus app to run a scan on your device to identify the malware. If it is found, it’s advisable you reboot your device to safe mode and uninstall the detected application from there. With this step, all other third party applications will be disabled momentarily too, but they will be active again with the next regular reboot.

If users think they may have been victim of credential theft via this attack, it’s advisable to reset anypasswordsfor services they feel might have been compromised, such as banking and shopping apps.

Users can also protect themselves from FluBot and other mobile phishing attacks by following measures below:

Awareness is the key for defending users againstphishingscams such as FluBot, and at a time when many are distracted by world events it is understandable to see a rise in successful attacks. At Avast, we are committed to empowering people with tools to protect themselves against these threats and are working to make the internet a safe place for everyone.

Ondrej David is Malware Analysis Team Leader at Avast.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Herman Miller Aeron gaming chair review: premium, highly customizable comfort