Another wave of FluBot: malware being spread by SMS

Alert1/2022

The FluBot malware targeting Android devices is once again being actively spread in Finland. The malware aims to steal data from devices, and it is spread via SMS and MMS. Receiving or opening the message is not dangerous, but a malware infected device should be reset to factory settings.

älypuhelin

Another mobile malware campaign has become active in Finland. The malware is being spread by SMS, and it is targeting Android devices.

The FluBot malware may steal data from mobile devices. The malware spreads further by sending SMS and MMS messages from the infected devices. The messages that are circulating currently are written without Scandinavian letters (å, ä and ö) and in many messages words have been split by superfluous spaces. For iPhone users, the scam messages mean a risk of subscription traps and other types of fraud.

“The most recent FluBot malware campaign is very similar to the previous ones. Fraudsters have sent thousands of scam messages. The malware has been updated, and in the present campaign scam messages are also being sent via MMS,” says Matias Mesiä, information security adviser at the NCSC-FI.

Kooste FluBot-haittaohjelmaa levittävistä viesteistä. Huijausviestien aiheina: Sinulla on postia, vastaamaton puhelu, hieno viesti, uusi viesti sinulle
The FluBot malware is being spread by text and multimedia messages.

The messages sent to spread the malware have concerned voicemail, unanswered calls and parcel deliveries, for example. What all messages have in common is that they ask the recipient to open the link in the message.

Clicking on the link does not yet install the malware. Instead, the link takes the user to a website instructing the user to install the malware. The malware requests consent for installation. The messages try to get the user to disable security features to allow the installation of the malware.

Huijausviestin takaa avautuva sivu, joka pyytää asentamaan haittaohjelman. Sovellusten asentamista tuntemattomista lähteistä ei tule sallia puhelimen asetuksista.
A website used to spread the malware. The scam messages include links that take users to fraudulent websites. Never change your device settings to allow the installation of applications from unknown sources.

Target group of the alert

FluBot targets users with an Android device and a mobile subscription.

Messages spreading the malware are also sent to other devices. iPhone users, for example, are directed to subscription traps and other fraudulent material.

Possible solutions and restrictive measures

Do not open the links included in the scam messages. Clicking on a link does not yet install the malware on your device.

Never install applications from other sources than app stores. If you have installed the malware, you need to take immediate action. The quickest way to remedy the situation is to perform a factory reset on the infected device. 

More detailed instructions are provided at the end of this alert.

More Information

The FluBot campaign with fraudulent messages was last active in Finland in December 2021 . We also issued an alert on malware being spread by SMS in June 2021 .

The latest malware campaign uses methods similar to those in previous campaigns. The current campaign also uses MMS to spread the malware.

IF YOUR DEVICE HAS BEEN INFECTED WITH FLUBOT

  • Perform a factory reset on the device. If you restore your settings from a backup copy, make sure you restore from a backup created before the malware was installed.
  • If you have used a banking application or handled credit card information on the infected device, contact your bank.
  • Report any financial losses to the police.
  • Reset your passwords on any services you have used with the infected device. The malware may have stolen your password if you have logged in after you installed the malware. 
  • Contact your operator, because your subscription may have been used to send text messages subject to a charge. The currently active malware for Android devices spread by sending SMS and MMS from infected devices.