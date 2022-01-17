FluBot is a Trojan specially designed for Android devices, which has been present in multiple fraudulent SMS campaigns (smishing) since 2020. It is estimated that it has managed to infect more than sixty thousand terminals and compile a list of some eleven million phone numbers. The attackers impersonate courier companies or the Post Office trying to get the user to install a malicious application. Its ultimate goal is to steal banking information to access the victim’s accounts.

In its most well-known version, this Trojan camouflages itself in fake shipment and package tracking messages. flubot spreads quickly through the address book of the device, one of the reasons that, according to experts, explains its success in reaching such a high number of terminals and telephone numbers. In addition, flubot It is capable of stealing banking information (bank access data, credit cards, payment data…), SMS or contact list information, and even making calls once it takes control of the device. In addition, it allows the execution of remote commands from the attacker’s control center and prevents the user from uninstalling the application.

In the first waves, the victim received an SMS indicating the receipt of a package and was offered a link to track it. Thus, in the last year identity theft has been seen in SMS from companies such as Correos, DHL and FedEX. Once the link is clicked, the SMS redirects the victim to a page that pretends to be the official site and asks them to download a tracking application. This ‘app’ is downloaded directly from a malicious application store, other than the Google Play Store, and the Trojan is hidden inside.

How to disinfect your equipment

The malicious code, once the user installs the application on his device, begins to track the identifiers of all the applications that he launches and, in addition, has the ability to inject overlapping pages when it detects a login in one of the target applications. In this way, the user thinks that he is entering the credentials on the original website when, in reality, he is sending them to the command and control server (C2), managed by the operators of the malicious code. A) Yes, the criminals obtain all the necessary data to log in to the private space of banks and payment methods.

According to the Internet Security Office (OSI), it is a Trojan that does not allow manual uninstallation by the user. Although under normal conditions it is not recommended to install applications that are outside official markets, in this case, in order to uninstall the malware, it is recommended to use an open source application created by a reliable Android team. The application is hosted on GitHub, so you must enable the “install applications from unknown sources” option within your device. This option is found within the security section in device settings (the path may vary depending on the mobile model). But once installed, it is important that you remember to disable this option again.