Front Page: NCSC-FI
Front Page: NCSC-FI

The FluBot campaign sending scam messages became active in Finland in June and is still causing trouble. Based on reports received by the National Cyber Security Center (NCSC-FI), scam messages written in Finnish are being sent to thousands of people in Finland. Earlier this summer, the message said there is a package in delivery and contained a link for tracking the delivery. The link tried to lure the recipient to a scam website and install the malicious FluBot software. In the new campaign, the messages use a voicemail theme. This alert was discontinued on 17 August 2021 after the situation settled.

Target group of the alert

This alert was discontinued on 17 August 2021 after the situation settled.

The malware targets everyone using an Android device and a mobile subscription. Text messages may also be sent to other mobile phones, but the .apk installation files do not work on iPhones, for example.

Possible solutions and restrictive measures

The scam messages is written in Finnish and informs the recipient about a package delivery. The message contains a link to a website.

The website includes a link for downloading .apk application files that contain malicious software for Android devices (e.g. FluBot). The installation files do not work on iPhones. The malware may also steal data from the device and send malware-spreading scam messages. Text messages may also be sent abroad. Clicking on the link does not yet install the malware. Users will be requested to allow the installation. If you have installed the malware, you need to take immediate action.

More Information

Information security now! article: NCSC-FI has issued a severe alert on Android malware spread by SMS

Information security now! article: Alert on Android malware removed

DHL-logoa käyttävä sivusto, joka pyytää lataamaan haittaohjelman laitteelle. Suomenkielinen tekstiviesti, joka kertoo pakettitoimituksesta.

If your device has been infected by FluBot:

  • Perform a factory reset on the device. If you restore your settings from a backup, make sure you restore from a backup created before the malware was installed.
  • If you used a banking application or handled credit card information on the infected device, contact your bank. Report any financial losses to the police.
  • Reset your passwords on any services you have used with the device. The malware may have stolen your password if you have logged in after you installed the malware.
  • Contact your operator, because your subscription may have been used to send text messages subject to a charge. The currently active malware for Android devices spread by sending text messages from infected devices.

Update history

Updated on 13 July 2021

The alert was discontinued on 17 August 2021 after the situation settled.