The Finnish National Cyber Security Center (NCSC-FI) has issued a “severe alert” to warn of a massive campaign targeting Android users in the country with the Flubot banking malware pushed via text messages sent from compromised devices.
This is the second big Flubot campaign that hit Finland this year, with a previous series of attacks SMS spamming thousands of Endings every day between early June and mid-August 2021.
Just as it happened over the summer, the new spam campaign also uses a voicemail theme, asking targets to open a link that would allow them to access a voicemail or message from. the mobile operator.
However, SMS recipients are redirected to malicious sites that trick APK installers to deploy Flubot banking malware on their Android devices instead of opening voicemail.
Targets using iPhones or other devices will simply be redirected to other fraudulent and possibly malicious pages too, such as phishing landing pages attempting to phish their credit card details.
“Based on our current estimate, approximately 70,000 messages have been sent in the past 24 hours. If the current campaign is as aggressive as that of the summer, we expect the number of posts to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected “, the Finnish National Cyber Security Center noted in the alert issued on Friday.
“We managed to eliminate FluBot almost completely from Finland at the end of the summer thanks to the cooperation between the authorities and the telecommunications operators. The currently active malware campaign is new, as previously implemented control measures are not effective ” noted Information Security Advisor NCSC-FI Aino-Maria Väyrynen.
Android users who receive Flubot spam messages are advised not to open the embedded links or download the files shared through the link on their smartphones.
Be aware of malware spread by SMS
– NCSC-FI (@CERTFI) November 26, 2021
Android banking malware goes global
This banking malware (also called Fedex banker and Cabassous) has been active since late 2020 and is being used to steal bank credentials, payment information, text messages, and contacts from infected devices.
Initially, the botnet primarily targeted Android users from Spain. However, it has now expanded to target additional European countries (Germany, Poland, Hungary, United Kingdom, Switzerland) and Australia and Japan in recent months, although the Catalan police would have arrested the gang leaders back in March.
After infecting an Android device, Flubot spreads to others by sending text messages to stolen contacts and asking targets to install malicious apps in the form of APKs. Last month, Flubot also began tricking its victims into becoming infected by using fake security updates warning of Flubot infections.
Once deployed to a new device, it will attempt to trick victims into granting additional permissions and granting access to the Android accessibility service, allowing it to hide and run malicious tasks in the background.
It then takes over the infected device, accesses the victims’ banking and payment information through webview phishing pages overlaid on the interfaces of legitimate mobile banking and cryptocurrency apps.
Flubot also exfiltrates the address book to the command and control server (with contacts later sent to other Flubot bots to push spam), reads SMS messages, makes phone calls, and monitors system notifications for application activity.
Those who have infected their devices with Flubot malware are recommended to take the following actions:
- Perform a factory reset on the device. If you are restoring your settings from a backup, be sure to restore from a backup created before the malware was installed.
- If you used a banking app or processed credit card information on the infected device, contact your bank.
- Report any financial loss to the police.
- Reset your passwords on any services you have used with the device. The malware may have stolen your password if you logged in after installing the malware.
- Contact your operator, as your subscription may have been used to send paid SMS. The currently active malware for Android devices is spread by sending text messages from infected devices.