Android malware

Europol has announced the takedown of the FluBot operation, one of the largest and fastest-growing Android malware operations in existence.

The malware operation’s takedown resulted from a law enforcement operation involving eleven countries following a complex technical investigation to pinpoint FluBot’s most critical infrastructure.

The participants in the operation were Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands, and the United States.

“Known as FluBot, this Android malware has been spreading aggressively through SMS, stealing passwords, online banking details, and other sensitive information from infected smartphones across the world. Its infrastructure was successfully disrupted earlier in May by the Dutch Police (Politie), rendering this strain of malware inactive.” – Europol.

As the Dutch Police announced today, they have disconnected ten thousand victims from the FluBot network and prevented over 6.5 million spam SMS from reaching prospective victims.

In March 2021, the police in Spain arrested four suspects who were then considered key members of the FluBot operation, as the malware had primarily infected users in the region.

The hiatus in its distribution was momentary, though, as the malware rebounded to unprecedented levels targeting multiple other countries beyond Spain.

This time, however, Europol underlines that the FluBot infrastructure is under the control of law enforcement, so there can be no re-ignite.

At this time, no announcements about any arrests have been made, so we assume that the action was focused on disrupting the malware’s infrastructure at this stage.

FluBot’s rapid proliferation

FluBot is an Android malware that steals banking and cryptocurrency account credentials by overlaying phishing pages on top of the interface of the legitimate apps when the victims open them.

Additionally, it can access SMS content and monitor notifications, so two-factor authentication and OTP codes can be snatched on the fly.

Its rapid proliferation is thanks to the abuse of the contact list of infected devices to send SMS to all contacts through a person they trust.

The person whose device is abused for spamming doesn’t notice anything odd as everything happens in the background.

This way, by achieving only a handful of infections, FluBot quickly increased the number of victims in certain places around the globe and spread like wildfire there.

FluBot's main operation scheme
FluBot’s main operation scheme (Europol)

As for the methods of distribution for “patient-zero,” these include laced apps on the Google Play Store, fake parcel delivery messagesFlash Player app updates, and many more.

If you think FluBot might have infected your device, Europol suggests you perform a factory reset that wipes all data in the partitions that can host malware.

Source: www.bleepingcomputer.com