An international law enforcement operation involving 11 countries has culminated in the takedown of a notorious mobile malware threat called FluBot.
“This Android malware has been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected smartphones across the world,” Europol said in a statement.
The “complex investigation” included authorities from Australia, Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden, Switzerland, the Netherlands, and the U.S.
FluBot, also called Cabassous, emerged in the wild in December 2020, masking its insidious intent behind the veneer of seemingly innocuous package tracking applications such as FedEx, DHL, and Correos.
It primarily spreads via smishing (aka SMS-based phishing) messages that trick unsuspecting recipients into clicking on a link to download the malware-laced apps.
Once launched, the app would proceed to request access to Android’s Accessibility Service to stealthily siphon bank account credentials and other sensitive information stored in cryptocurrency apps.
To make matters worse, the malware leveraged its access to contacts stored in the infected device to propagate the infection further by sending messages containing links to the FluBot malware.
FluBot campaigns, while primarily an Android malware, have also evolved to target iOS users in recent months, wherein users attempting to access the infected links are redirected to phishing sites and subscription scams.
“This FluBot infrastructure is now under the control of law enforcement, putting a stop to the destructive spiral,” the agency noted, adding that the Dutch Police orchestrated the seizure last month.
According to ThreatFabric’s mobile threat landscape report for H1 2022, FluBot was the second most active banking trojan behind Hydra, accounting for 20.9% of the samples observed between January and May.
“ThreatFabric has closely worked with law enforcement on the case,” founder and CEO Han Sahin told The Hacker News.
“It’s a great win considering FluBot threat actors have or had one of the most resilient strategies when it comes to distribution and hosting of their backends with DNS-tunneling through public DNS-over-HTTPS services. This backend resilience in C2 hosting and fronting is what makes the efforts of the Dutch digital crime unit very impressive.”
The Dutch cybersecurity company also noted that unique malware samples developed by the operators of FluBot stopped after May 19, coinciding with the takedown, effectively slowing their “worming efforts.”
“The overall impact [of the dismantling] on the mobile threat landscape is limited since FluBot is not the strongest Android banking trojan,” Sahin added. “Exobot, Anatsa, Gustuff — those are a real problem to any user. The power behind FluBot has always been [its] infection numbers.”