The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and developers adding new features.
FluBot is an Android banking Trojan that steals credentials by showing overlaid login forms against numerous banks around the world.
The smishing lures for its distribution include fake security updates, fake adobe flash players, voice memos and impersonating parcel delivery notices.
Once in the device, FluBot can steal online banking credentials, send or intercept SMS messages (and one-time passwords), and capture screenshots.
Since the malware uses the victim’s device to send new smishing messages to all of their contacts, it usually spreads like wildfire.
Impersonate Flash Player
MalwareHunterTeam told BleepingComputer that new FluBot campaigns are distributed using text messages asking the recipient if they intend to download a video from their device.
An example of an SMS from this campaign targeting Polish recipients was shared by CSIRT KNF, as seen below.
When recipients click on the included link, they are taken to a page with a fake Flash Player APK file [VirusTotal] which installs the FluBot malware on the Android device.
Android users should always avoid installing apps from APKs hosted on remote sites to protect themselves from malware. This practice is especially true for well-known brands, like Adobe, whose applications should only be installed from trusted locations.
New features in recent versions of FluBot
The most recent major version is version 5.0, released in early December 2021, while version 5.2 was released only a few days ago.
With this release, the DGA (Domain Generation Algorithm) system has received a lot of attention from malware authors, as it is essential for enabling actors to function unhindered.
DGA generates many new C2 domains on the fly, rendering mitigation measures such as DNS blocklists ineffective.
In its latest version, FluBot’s DGA uses 30 top-level domains instead of just three used before and also offers a command that allows attackers to modify the seed remotely.
On the communication side, the new FluBot now connects to C2 via a DNS tunnel via HTTPS, whereas previously it used direct HTTPS port 443.
The commands added to the malware in versions 5.0, 5.1 and 5.2 are as follows:
- Update DNS resolvers
- Update the DGA seed remotely
- Send longer text messages using multipart split functions
In addition to the above, the latest version of FluBot retains the ability to:
- URLs open on demand
- Obtain the victim’s contact list
- Uninstall existing apps
- Disable Android Battery Optimization
- Abuse of the Android accessibility service for screenshot and keylogging
- Make calls on demand
- Disable Play Protect
- Intercept and hide new SMS messages to steal OTPs
- Download an SMS with information about the victim to C2
- Get the list of apps to load the corresponding overlay injections
In summary, FluBot did not deprecate any of the commands used in previous versions and only enriched its capabilities with new ones.
For more technical details on how exactly the latest version of FluBot works, see the F5 Labs Report.
How to protect yourself from FluBot
Note that in many cases a link to download FluBot will arrive on your device through one of your contacts, maybe even a friend or family.
So if you receive an unusual text message that contains a URL and prompts you to click on it, it is most likely a message generated by FluBot.
Finally, avoid installing APK files from unusual sources, regularly check that Google Play Protect is enabled on your Android device, and use a mobile security solution from a reputable provider.