The creators of FluBot have launched a new campaign that uses fake Android security update warnings to trick potential victims into installing the malware on their devices.
In a new blog post, New Zealand’s computer emergency response team Cert NZ has warned users that the message on the malware’s new installation page is actually a lure designed to instill a sense of urgency that tricks users into installing FluBot on their own devices.
The new FluBot installation page, that users are led to after receiving fake messages about pending or missed package deliveries or even stolen photos uploaded online, informs them that their devices are infected with FluBot which is a form of Android spyware used to steal financial login and password data from their devices. However, by installing a new security update, they can remove FluBot from their Android smartphone.
The page also goes a step further by instructing users to enable the installation of apps from unknown sources on their device. By doing so, the cybercriminals’ fake security update can be installed on their device and while a user may think they’ve taken action to protect against FluBot, they’ve actually installed the malware on their smartphone themselves.
Changing tactics
Until recently, FluBot was spread to Android smartphones through spam text messages using contacts stolen from devices that were already infected with the malware. These messages would instruct potential victims to install apps on their devices in the form of APKs that were delivered by attacker-controlled servers.
Once FluBot has been installed on a user’s device, the malware often tries to trick victims into giving it additional permissions as well as granting access to the Android Accessibility service that allows it to run in the background and execute other malicious tasks.
FluBot is capable of stealing a user’s payment and banking information by using overlay attacks where an overlay is placed on top of legitimate banking, payment and cryptocurrency apps. As mentioned before, the malware will also steal a user’s contacts to send them phishing messages to help spread FluBot even further.
While FluBot was mainly used to target users in Spain at its onset, its operators have since expanded the campaign to target additional countries in Europe including Germany, Poland, Hungary, UK and Switzerland as well as Australia and Japan in recent months.
Via BleepingComputer