FluBot Android Spyware Taken Down by Global Law Enforcement Operation

An international law enforcement operation involving 11
countries has culminated in the takedown of a notorious mobile
malware threat called FluBot^[1].

“This Android malware has been spreading aggressively through
SMS, stealing passwords, online banking details and other sensitive
information from infected smartphones across the world,” Europol
said^[2]
in a statement.

The “complex investigation” included authorities from Australia,
Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden,
Switzerland, the Netherlands, and the U.S.

FluBot^[3], also called Cabassous,
emerged in the wild in December 2020, masking its insidious intent
behind the veneer of seemingly innocuous package tracking
applications such as FedEx, DHL, and Correos.

It primarily spreads via smishing (aka SMS-based phishing)
messages that trick unsuspecting recipients into clicking on a link
to download the malware-laced apps.

Once launched, the app would proceed to request access to
Android’s Accessibility Service to stealthily siphon bank account
credentials and other sensitive information stored in
cryptocurrency apps.

To make matters worse, the malware leveraged its access to
contacts stored in the infected device to propagate the infection
further by sending messages containing links to the FluBot
malware.

“This FluBot infrastructure is now under the control of law
enforcement, putting a stop to the destructive spiral,” the agency
noted, adding that the Dutch Police orchestrated the seizure last
month.

According to ThreatFabric’s mobile threat landscape report^[4] for H1 2022, FluBot was
the second most active banking trojan behind Hydra, accounting for
20.9% of the samples observed between January and May.