FluBot botnet infected over 60,000 devices in two months – “Hacker”

Flubot Botnet Infected Over 60000 Devices In Two Months.png

According to experts, in just two months, the Android malware FluBot infected more than 60,000 devices, and 97% of its victims are in Spain.

For the first time FluBot was noticed by ThreatFabric experts at the beginning of this year, and now analysts of the Swiss firm PRODAFT have prepared about malware detailed report.

Flubot Botnet Infected Over 60000 Devices In Two Months.png

Experts describe a dangerous banking Trojan that is capable of displaying fake login screens on top of other applications. Thus, the malware collects e-banking credentials and payment card details of its victims.

The impressive number of FluBot infections is most likely due to the presence of a worm-like mechanism in its malware code, thanks to which attackers can download the victim’s address book to their command and control server and send SMS spam from there.

“Currently, more than 11 million phone numbers have been collected from infected devices, which is 25% of the total population of Spain,” the researchers write. “We estimate that the malware is capable of collecting almost all phone numbers in Spain in six months if no action is taken.”

Such SMS messages contain various decoys to force the recipient to follow the link. Links usually lead to hacked sites where FluBot operators place their malware hidden inside APK files.

If a user downloads and installs such an “application”, ignoring all operating system warnings about the dangers of installing applications from third-party sources, FluBot is infected.

The malware does not have full control over the device unless the user himself grants him access to the Accessibility service. If the rights are obtained, the malware can execute commands and simulate touching the screen, while remaining invisible to the owner of the device. As a result, FluBot is capable of intercepting and blocking app notifications, setting itself as the default SMS app, using USSD and making phone calls, and stealing contact lists. Accessibility also allows the Trojan to display phishing screens over other legitimate applications.

FluBot botnet infected over 60,000 devices in two months - "Hacker"
Examples of malicious overlays

PRODAFT experts write that they were able to gain access to the FluBot control panel, which allowed them to determine the number of infected devices. The researchers have already notified Spanish law enforcement of their findings so that authorities can take action against the botnet.

FluBot botnet infected over 60,000 devices in two months - "Hacker"
Welcome message on the C&C server
Leave a Reply

Your email address will not be published. Required fields are marked *