Front Page: NCSC-FI
Front Page: NCSC-FI

Information security now!

The FluBot malware that caused trouble among Android users earlier this year is being spread again. In the past few days, the National Cyber Security Centre (NCSC-FI) at the Finnish Transport and Communications Agency has received increasing numbers of reports about dozens of message variants used to spread the malware.

A mobile malware campaign sending text messages (SMS) has become active in Finland. The malware targets everyone using an Android device and a mobile subscription. iPhones and other devices are directed to other fraudulent material on the website. The theme of the text message may be that the recipient has received a voicemail message or a message from their mobile operator. What all messages have in common is that they ask the recipient to open the link in the message. Clicking on the link does not yet install the malware. Users will be requested to allow the installation. The malware may steal data from the device and send malware-spreading scam messages. The messages are often written without Scandinavian letters (å, ä and ö) and may contain the characters +, /, &, % and @ in random and illogical places in the text.

“An Android malware called FluBot is being spread by SMS. According to our current estimate, tens of thousands of messages have been sent to people in Finland during one day. We expect the amount to increase in the coming days and weeks,” says Aino-Maria Väyrynen, information security adviser at the NCSC-FI.

The previous FluBot mobile malware campaign was active in Finland in the summer, and the NCSC-FI issued an alert about the matter. The present messages constitute a new campaign. Cooperation with telecommunications operators plays a key role in measures to combat the malware.

“We managed to almost completely eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one, because the previously implemented control measures are not effective,” Väyrynen says.

Organisations encouraged to inform their personnel

The yellow alert issued by the NCSC-FI means that the situation calls for general caution or may require users or administrators to take action. If you receive a scam message, do not click on the link. Do not download the file shared via the link on your phone.

Preparedness is important, and organisations should inform their personnel about FluBot to ensure that their employees do not install the malware on their phones. It is important for organisations to know what information and data phones may have contained and to assess the risks of a potential data leak, because FluBot steals information from phones.

Examples of fraudulent text messages.
DHL-teemaisissa viesteissä laitteelle houkutellaan asentamaan myös FluBot-haittaohjelma. Viestien ulkoasut vaihtelevat laajasti.
On 1 December, we began to receive many reports about DHL-themed messages.


Hieno #r5# viesti Gary Pettylta. / Tarkea aihe. 
Ilmoitus matkapuhelinoperaattorilta, & klikkaa @ nahdaksesi koko & viestin.
Ilmoitus: %51% (1) uusi aaniviesti: 
Jos haluat lopettaa viestien vastaanottamisen, poistu tasta: 
Olet + saanut uuden & aaniviestin:
Saapuva #0#'p' aaniviesti: @ 
Sinulla on 1 uusi aaniviesti(t). Lisatietoja saat osoitteesta 
Tarkea viesti! Etsimme sinua. & Lue se taalta: 
Uusi / aaniviesti: 
Vastaamaton %0y3% puhelu: -qr- Sinulle on vastaamaton puhelu, lisatietoja: @ 
Viesti sinulle: @ %6% 

Added examples of DHL-themed messages.