A malware campaign with the aim of stealing passwords, bank details and other sensitive information is spreading quickly through Android devices.
Known as FluBot, the malware is installed via text messages claiming to be from a delivery company that asks users to click a link to track package delivery. This phishing link asks users to install an application to follow the fake delivery – but the app is actually malware for stealing information from infected Android smartphones.
Once installed, FluBot also gains access to the victim’s address book, allowing it to send the infected text message to all their contacts, further spreading the malware.
The UK’s National Cyber Security Centre (NCSC) has issued security guidance about how to identify and remove FluBot malware, while network providers including Three and Vodafone have also issued warnings to users over the text message attacks.
Attacks begin with messages that most commonly claim to come from delivery service DHL – although the names of other brands including Asda, Amazon and Argos are also being leveraged.
If an Android user clicks on the link, they’re taken to a website that will take the user to a third-party site to download a malicious APK file. These files are usually blocked by default in order to help protect Android users from attacks, but the fake websites provide information on how to bypass these protections and allow FluBot to be installed.
Once installed, FluBot obtains all the permissions necessary to access and steal sensitive information including passwords, online bank details and other personal information, as well as the ability to spread itself to others. It’s this mechanism of using contact information that is allowing FluBot to spread so quickly.
While the malware can only infect Android devices, Apple users are also urged to be cautious about text messages urging them to click links about delivery as the malicious websites could still be used to steal personal information.
The NCSC has warned users who receive a scam text message not to click the link in the message and not to install any apps if prompted. Instead, they’re urged to forward the message to 7726, a free spam-reporting service provided by phone operators – then to delete the message.
Meanwhile, the NCSC has warned people who’ve already clicked the link and downloaded the application to not login to any additional online accounts to stop attackers harvesting more personal information – then to perform a factory reset of the device as soon as possible.
While users should be able to restore the data on their device via a backup, it’s important to avoid restoring from any backups made after FluBot malware was installed – because they will still be infected.
The NCSC also recommends that users should change the passwords of any accounts they’ve logged in to since downloading the app – as well as any other accounts that use the same password – in order to prevent attackers from continuing to have access.
In order to avoid falling victim to similar attacks, it’s recommended that users only install applications from official app stores.