FluBot seeks to steal financial data on Android phones

A factory reset will be needed, which means lost data unless a back-up schedule is in place

When Flubot hit the UK in May, it was inevitable that it was only a matter of time before it began circulating here.

The Android-focused malware tricks users into downloading software to their phone using a fake text message claiming to be from a delivery company. Within the message was a link that directed recipients to download an app to track their delivery.

Nothing out of the ordinary for many of us who have embraced online shopping since the pandemic hit last year. But the difference between this message and the standard delivery notification was that the fake message directed users to download the app from outside the Google Play Store. The software packages, called APKs, are actually banking trojans, and the aim is to steal your financial data.

In a warning to consumers, regulator ComReg said once installed FluBot could make calls, steal passwords and other data, access contact details and spread the malware via text message, and change accessibility settings on devices.

It’s a lot to take in, especially when you realise the cure for Flubot: a complete factory reset of your device. That means lost data unless you have a regular back-up schedule in place. Even if you are fastidious about backups, you’ll need to be careful and make sure you choose a backup from before Flubot hit, unless you want to reinstall the malware.

Because Apple devices cannot install apps from outside the App Store, this malware poses more of a risk to Android devices. But that doesn’t mean Apple users shouldn’t all be on their guard.

If you are feeling a bit under siege, you’re not the only one. Flubot is yet another fraud aimed at hard-pressed mobile customers, and with all the upheaval that the current public health emergency has caused, it’s not a given that consumers will be able to pick out the genuine messages from the scams.

The latest scam comes as Irish consumers are still dealing with the fallout from the HSE hack, and a rise in fraudulent calls and texts claiming to be from officials such as the Department of Social Protection. The fraudulent calls claiming to be from the latter appear to come from an Irish number, as do the numerous text messages that try to lure us into falling for a scam. Anecdotally, many of the calls having come from numbers with an 083 prefix, with texts coming from 086 and 087 numbers. Others reported communications via landlines and 085 numbers.

So do the networks have a role to play here? Its not quite as simple as the mobile operators being on their guard to prevent spam messages and scam calls from circulating. Picking out the fraudulent activity from the genuine is more complicated than it might seem.

That’s not to say that mobile companies don’t have any weapons to fight back against scammers; understandably though, they aren’t too keen to go into detail.

“At Three we have robust security measures in place to help prevent scam messages from reaching our customers. With reports of such scam calls and texts, we will always engage with the relevant authorities to resolve the issue,” the mobile network said in a statement. “We proactively monitor our network for large spikes in call volumes which could be scam calls and take action to prevent further calls being made if required. Once reported by our customers, we will immediately block number ranges to prevent further customer impact.”

Vodafone, meanwhile, has embarked on fraud awareness campaigns to try to stop their customers falling for the scams.

“At Vodafone, we understand the concerns of customers with regard to fraudulent calls and SMS, and actively engage in cross industry efforts to prevent and disrupt such instances from occurring where possible,” the network said. “We also deliver fraud awareness campaigns to ensure customers understand the risks that scam SMS can bring, and have a dedicated, 24-hour support team who help customers navigate the challenges. We advise all our customers to be vigilant and careful about clicking on any links received in an SMS and refrain from sharing personal information with a cold caller.”

The scam artists spreading the fake messages aren't necessarily based in Ireland, or within the reach of the gardaí. The calls come into Ireland across all the mobile networks through an interconnect carrier, which is an operator who carries traffic between networks. There are a number of carriers who pass these calls in an out of Ireland, and it allows us to send and receive calls to other networks, domestically or internationally.

“In the event that spam calls or SMS originate within our network, we can deal with it swiftly, once detected. When the source of the calls or SMS’s is another operator, either here or offshore, we pass the relevant information to them as the onus is on that operator to terminate at source, which is the case here,” Three said. “In relation to the recent scams we have contacted several interconnect carriers where we have identified on this issue, we have also encouraged the carriers to engage with the gardaí.”

However, although networks can block the numbers where they see a spike in calls, the reality is that number can then be changes, making it harder to stamp out the scam completely.

More complicated still is the fact that although the numbers may look like they are Irish phone numbers, they are often spoofed, meaning they aren’t actually genuine numbers at all.

There may be another way to stop these scams in their tracks: zero trust. That would, according to its proponents, stop phishing via bad web addresses before it even gets started.

"The Flubot malware, once it's installed, is very sophisticated and very very nasty, said MetaCert's Paul Walsh. His company is focused on fighting SMS phishing, where text messages are weaponised to scam consumers. "It's the worst I've seen on mobile. But the delivery isn't more sophisticated."

Part of the issue is that while SMS firewalls can help mobile operators in terms of protecting traffic and revenue, they aren’t set up for phishing attacks.

“If you want to protect your home, you don’t think about the sophisticated techniques that a criminal would use once they’re inside your house to open up your safe if you’re leaving your front door open or letting them in the front of your house,” said Walsh. “You just don’t let them in your front door and then you don’t have to worry about the sophistication of your safe.”

The situation, he says, is now getting urgent. Hackers have now realised how much more successful SMS phishing is compared to email, and the situation is only going to get worse, he warns.

He estimates that a deceptive URL has served its purpose within three minutes of an SMS being sent, allowing the attackers to move on to the next one. That makes it almost impossible for mobile operators to fight back, as a URL flagged as suspicious must be investigated by security vendors and classes as dangerous before it can be blocked or removed.

Walsh believes zero trust for web addresses is the way forward. This is where we assume that all links are bad unless they are verified, something that MetaCert’s Zero Trust URL & Web Access Authentication system offers.

The system has 20 billion URLs verified, and sophisticated tools that speed up the process. Plus not every safe URL in existence has to be verified, just the ones more likely to be sent via SMS, such as delivery companies, government sites, postal tracking and so on.

The work is ongoing, but Walsh is optimistic.

“We had the solution two years ago for SMS,” said Walsh. “Flubot is what is now bringing us to the table because operators who have it on their network are trying to find a solution for it.”

For now, Flubot continues to put users in Ireland, and further abroad, at risk.

How to avoid scams

* Never give out personal or financial information to cold callers.

* Assume all links are suspect, even if they appear to be from someone you trust. If a number purporting to be a delivery company sends you a link to track your package, don’t use the link. If you are expecting a delivery, visit the company’s official website by typing the safe web address into your browser bar, and use the tracking number they have sent you in the message to figure out where your package is.

* Don’t install apps from outside the official app store. Flubot gets on to your device through persuading users to override a safety mechanism and allow software installation from an unknown source, ie outside th Play Store. that they can trust software downloads from outside the Google Play store. While you shouldn’t blindly trust software in the official app store either – there have been cases of malware found inside “official” apps – it is far easier for malicious actors to insert software into apps outside the Play Store than inside it.

* Make sure that Google Play Protect Service is turned on. To do so, go to the Play Store app on your phone, and click on your account name in the top right corner. Select Play Protect, and ensure it turned to on. That will scan for harmful apps and flag any that have been detected on your phone.

* If you do install FluBot unknowingly, you will have to wipe your phone to get rid of it. That means doing a factory reset – and losing any data you did not back up before installing Flubot on your device.

* Because Flubot steals your credentials, any passwords used on your device after it was installed are at risk. To be safe, reset these passwords and if you reuse the same credentials on other accounts – a security no-no, by the way – reset those too. A password manager such as NordPass, LastPass or DashLane will help you create strong unique passwords for each account you have, and store them for you.