According to experts, in just two months, the Android malware FluBot infected more than 60,000 devices, and 97% of its victims are in Spain.
New Android banking Trojan “Cabassous” doesn’t yet provide more than classic overlay and SMS stealing features but is the only known active banker using DGA.
It uses an RSA based DH scheme to protect the communications with the C2 and obtains relevant C2 addresses using a DGA. pic.twitter.com/NDrBCoiyWn
— ThreatFabric (@ThreatFabric) January 6, 2021
For the first time FluBot was noticed by ThreatFabric experts at the beginning of this year, and now analysts of the Swiss firm PRODAFT have prepared about malware detailed report.
Experts describe a dangerous banking Trojan that is capable of displaying fake login screens on top of other applications. Thus, the malware collects e-banking credentials and payment card details of its victims.
The impressive number of FluBot infections is most likely due to the presence of a worm-like mechanism in its malware code, thanks to which attackers can download the victim’s address book to their command and control server and send SMS spam from there.
“Currently, more than 11 million phone numbers have been collected from infected devices, which is 25% of the total population of Spain,” the researchers write. “We estimate that the malware is capable of collecting almost all phone numbers in Spain in six months if no action is taken.”
Such SMS messages contain various decoys to force the recipient to follow the link. Links usually lead to hacked sites where FluBot operators place their malware hidden inside APK files.
If a user downloads and installs such an “application”, ignoring all operating system warnings about the dangers of installing applications from third-party sources, FluBot is infected.
The malware does not have full control over the device unless the user himself grants him access to the Accessibility service. If the rights are obtained, the malware can execute commands and simulate touching the screen, while remaining invisible to the owner of the device. As a result, FluBot is capable of intercepting and blocking app notifications, setting itself as the default SMS app, using USSD and making phone calls, and stealing contact lists. Accessibility also allows the Trojan to display phishing screens over other legitimate applications.
PRODAFT experts write that they were able to gain access to the FluBot control panel, which allowed them to determine the number of infected devices. The researchers have already notified Spanish law enforcement of their findings so that authorities can take action against the botnet.