In the new SMS attacks, FluBot Android spyware targets Finland

In the new SMS attacks, FluBot Android spyware targets Finland

Lincoln College to close after 157 years due ransomware attack
The Finnish authorities issued a similar warning last year after detecting the distribution of 70,000 malicious messages in just 24 hours. This time, no specific numbers have been provided, but the NCSC-FI stated that “thousands of malicious messages are circulating” to potential victims. The FluBot operators use SMS messages claiming to contain links to voicemail, missed call notifications, or alerts about incoming money from an unknown financial transaction. The links in these messages take the victim to a website that hosts the FluBot APK, which the victims are asked to download and install to learn about the transaction details.

The National Cyber Security Center of Finland (NCSC-FI) has issued a warning regarding an increase in FluBot Android malware infections as a result of a new campaign that uses SMS and MMS for dissemination. FluBot aims to steal victims’ financial account information by displaying phishing pages on top of real banking and cryptocurrency apps. It can also acquire SMS data, make phone calls, and watch incoming alerts to steal temporary authentication codes such as one-time passwords (OTP), which are required in addition to the standard login credentials.

Highlights

  • The attackers don’t waste any opportunity to monetize and if the malicious SMS reaches an iPhone user, they are redirected to premium subscription frauds and other scams. NCSC-FI clarifies that simply opening the links does not install malware on your device, yet users should avoid installing APKs outside the official Play Store. If your device is already infected with FluBot, a resetting the system to factory defaults should get rid of the malware. If you restore from a backup, it’s important to make sure that it does not contain the malware.

  • Bogus voicemail alert urging the user to download an app (NCSC-FI). The application requests victims to grant risky permissions on Android, such as accessing SMS data, managing phone calls, and reading the user’s address book. Threat actors use the contacts list to push a second-wave SMS from compromised devices. Because these messages come from a known source, the recipients are more likely to open them and infect their devices.

If you suspect using a banking application after the infection, contact your bank and follow their instructions. Additionally, monitor all your transactions closely and report any fraudulent activities immediately. It is also recommended to reset passwords for accounts used from the compromised device. If you are an iPhone user who has inadvertently subscribed to premium services via a FluBot SMS, contact your carrier and request them to cancel the subscription. If possible, place a permanent ban on subscriptions to these services.