Published: August 21, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
Opportunities to applaud the takedown of a banking trojan, especially one like FluBot, don’t happen every day. This trojan trickster had its infrastructure clock cleaned by an international effort involving law agencies in eleven countries. Along with the great news, we also get an idea of what it takes to dismantle an international banking trojan infrastructure.
The combined efforts of law enforcement authorities in eleven countries were a highly coordinated, ongoing effort to dismantle FluBot’s infrastructure – and it worked. With Europol’s European Cybercrime Centre (EC3) leading the coordination effort, the other countries involved were the United States, Australia, Switzerland, Finland, Ireland, Sweden, Spain, Hungary, Belgium, and the Netherlands.
FluBot gained its reputation as an ongoing threat to Android devices after being discovered two years ago. The financial threat it imposed on its victims was quickly and aggressively dispatched the world over.
FluBot made an appearance at the European Commission press conference last March, posing as a package shipping business. By the end of the month, the trojan infected 60,000 headsets and hijacked eleven million phone numbers. Results like these give FluBot exactly what it needs to spread and infect mobile devices everywhere.
According to EC3, FluBot was one of the fastest spreading mobile trojans to date. FluBot steals passwords and other PII, and of course, online banking app credentials. With FluBot also pilfering device contacts, it forwards itself to those stolen contacts and their devices – a highly effective way of spreading itself.
Package Delivery Problems
A FluBot infection starts by sending potential victims an SMS (text) posing as a delivery company, warning recipients there’s a problem delivering their package. The text instructs recipients to click on a link to install their package tracking app. But true to its trojan roots, the app is FluBot, and it just made a home on the now-infected Android smartphone. The app then asks for access permissions leading to stolen banking credentials, cryptocurrency account details, and disables any built-in device security.
Now that FluBot infrastructure is under control of the good guys, Europol recommends to Android users who think they may have inadvertently installed the malware, to reset their phones to factory settings. And remember to avoid other similar infections. Don’t click links or attachments in text, SMS, email or anywhere else that are from unknown senders, are unexpected, or are suspicious in any way. If you are expecting a delivery, go directly to the company’s website and check the tracking information or give them a call.
Just because this flu’s origin has been discovered and destroyed, doesn’t mean the FluBot isn’t still out there. Stay healthy and don’t catch it on your device.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org