The eradication of a prominent mobile malware threat known as FluBot was the result of an international law enforcement effort involving 11 nations. “This Android virus has been spreading aggressively through SMS,” Europol stated in a statement, “grabbing passwords, online banking data, and other sensitive information from compromised cellphones throughout the world.”
Authorities from Australia, Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden, Switzerland, the Netherlands, and the United States were involved in the “complex probe.”
FluBot, also known as Cabassous, first appeared in the wild in December 2020, concealing its malicious goal behind the facade of seemingly harmless shipment monitoring apps like FedEx, DHL, and Correos. It spreads mostly through smishing (also known as SMS-based phishing) messages, which deceive users into clicking on a link to download malware-laced software.
The software would then seek access to Android’s Accessibility Service in order to silently drain bank account passwords and other sensitive information saved in cryptocurrency apps after it was activated. To make matters worse, the virus took use of the infected device’s contacts to spread the infection even further by sending messages with links to the FluBot malware.
While FluBot is predominantly an Android virus, it has recently developed to target iOS users, with users being routed to phishing sites and subscription scams when they attempt to open infected URLs. “This FluBot infrastructure is now in law enforcement’s control, putting an end to the dangerous cycle,” the agency said, noting that the seizure was orchestrated by the Dutch Police last month.
FluBot was the second most active banking trojan behind Hydra, according to ThreatFabric’s mobile threat landscape analysis for H1 2022, accounting for 20.9 percent of the samples identified between January and May.
“ThreatFabric has cooperated closely with law enforcement on the case,” said Han Sahin, founder and CEO of ThreatFabric.
“It’s a significant victory, given that FluBot threat actors have or have one of the most robust distribution and hosting techniques, using DNS-tunneling over public DNS-over-HTTPS services. The Dutch digital crime unit‘s efforts are outstanding because of their backend resiliency in C2 hosting and fronting.”
The Dutch cybersecurity firm also stated that the operators of FluBot ceased developing unique malware variants after May 19, coinciding with the shutdown, thereby reducing their “worming activities.”
“Since FluBot is not the strongest Android banking malware,” Sahin continued, “the overall impact [of the disassembly] on the mobile threat environment is minimal.” “Exo, Anatsa, and Gustuff are all serious issues for any user. FluBot’s strength has always been its infection counts.”