FluBot, also called Cabassous, emerged in the wild in December 2020, masking its insidious intent behind the veneer of seemingly innocuous package tracking applications such as FedEx, DHL, and Correos. It primarily spreads via smishing (aka SMS-based phishing) messages that trick unsuspecting recipients into clicking on a link to download the malware-laced apps. Once launched, the app would proceed to request access to Android’s Accessibility Service to stealthily siphon bank account credentials and other sensitive information stored in cryptocurrency apps.
The eradication of a prominent mobile malware threat known as FluBot was the result of an international law enforcement effort involving 11 nations. “This Android virus has been spreading aggressively through SMS,” Europol stated in a statement, “grabbing passwords, online banking data, and other sensitive information from compromised cellphones throughout the world.” Authorities from Australia, Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden, Switzerland, the Netherlands, and the United States were involved in the “complex probe.”
According to ThreatFabric’s mobile threat landscape report for H1 2022, FluBot was the second most active banking trojan behind Hydra, accounting for 20.9% of the samples observed between January and May. “ThreatFabric has closely worked with law enforcement on the case,” founder and CEO Han Sahin told The Hacker News. “It’s a great win considering FluBot threat actors have or had one of the most resilient strategies when it comes to distribution and hosting of their backends with DNS-tunneling through public DNS-over-HTTPS services. This backend resilience in C2 hosting and fronting is what makes the efforts of the Dutch digital crime unit very impressive.”
To make matters worse, the malware leveraged its access to contacts stored in the infected device to propagate the infection further by sending messages containing links to the FluBot malware. FluBot campaigns, while primarily an Android malware, have also evolved to target iOS users in recent months, wherein users attempting to access the infected links are redirected to phishing sites and subscription scams. “This FluBot infrastructure is now under the control of law enforcement, putting a stop to the destructive spiral,” the agency noted, adding that the Dutch Police orchestrated the seizure last month.
The Dutch cybersecurity company also noted that unique malware samples developed by the operators of FluBot stopped after May 19, coinciding with the takedown, effectively slowing their “worming efforts.” “The overall impact [of the dismantling] on the mobile threat landscape is limited since FluBot is not the strongest Android banking trojan,” Sahin added. “Exo, Anatsa, Gustuff, those are a real problem to any user. The power behind FluBot has always been [its] infection numbers.” Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.