Do you own an Android phone and have received an SMS message with a link to a voice message? Then you should delete this message unread, because behind it there is most likely a new malware called “Flubot”, which has recently become active in Switzerland.
If you click on the link contained in the SMS message, you will be redirected to a fraudulent website where you are supposed to download the alleged voicemail.
If you do so, you install the malware on your phone, allowing it to grab sensitive data from your device. This attack method is called “smishing”, a word combination of “SMS” and “phishing”.
In Germany and other countries, “Flubot” disguises itself as an SMS parcel message from a transport company such as DHL or FedEx. The link in the message then leads to a fraudulent website from which an alleged app from the transport company is to be downloaded.
‼️ Android #FluBot banking trojan is spreading in DE 🇩🇪 via a link in SMS impersonating the FedEx app.
Based on our data, the campaign started March 15, 2021. We have identified dozens of cases where users downloaded this app from a fake FedEx site. #ESETresearch @LukasStefanko pic.twitter.com/0lRZ8AcZKw— ESET research (@ESETresearch) March 18, 2021
Various Swiss IT organizations are currently warning about the malware, including Switch or the National Cyber Security Center in Bern, or NCSC for short:
“At the moment, the NCSC is receiving numerous messages about SMSs that alert the recipient to a supposed voice message. Anyone who clicks on the link in the SMS is taken to a fake website where the victim is asked to download the message. In fact, however, it is a malicious software. Do not download this file under any circumstances, do not click on the link in the SMS and delete the message.”
The Zurich Cantonal Police also describes the malware on its own cybercrime website cybercrimepolice.ch: SMS are sent to premium-rate numbers, among other things, according to Kapo Zurich. In addition, “Flubot” tries to tap credit card data as well as data entries in cryptocurrency apps or the email service Gmail. The Kapo also provides tips on what to do if you have accidentally installed the malware on your cell phone (see info below).
Warnung vor SMS – Betrügern
Das SMS “Neue Voicemail” ist die gefährliche Schadsoftware FluBothttps://t.co/IDSzMBKmzj#KantonspolizeiZürich #Cybercrime pic.twitter.com/kf9OjN753s
— Kantonspolizei Zürich (@KapoZuerich) June 21, 2021
In order to spread, the malware also uses the contact list of the infected phone to send countless SMS messages to other devices.
“Flubot” first appeared in Spain, Hungary and Poland in December 2020. Since then, the malware, which is also known as “Cabassous” and “Fakechat”, has spread worldwide.
“Flubot” can basically only infect Android phones. iPhones can also receive such a text message, but they are not in direct danger because apps can only be installed via the official Apple Store, which has been checked by Apple.
• Do not click on the link
• Delete the SMS message
• Ideally, make people in your social environment aware of the issue and show them the SMS message before deleting it
• Reset your cell phone to factory settings (How do I do that?); this will delete all data on the cell phone
• Inform your mobile phone provider
• Block your credit card(s)
• Change the credentials of any cryptocurrency apps from another device
• Do the same if you use Gmail
• Keep the Android version on your phone up to date
• Protect your phone with anti-malware software (e.g. SophosMobile Security for Android)
• Download apps only from the official Google Play Store
• Set in the security settings of your phone that data from “unknown sources” should not be installed
https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/#comments
https://www.ncsc.admin.ch/ncsc/en/home/aktuell/aktuelle-vorfaelle.html
https://www.cybercrimepolice.ch/de/fall/das-sms-neue-voicemail-ist-die-gefaehrliche-schadsoftware-flubot/
https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027
https://www.t-online.de/digital/internet/id_90136940/vorsicht-falsche-dhl-app-android-trojaner-flubot-breitet-sich-aus.html
https://support.google.com/android/answer/6088915?hl=en
https://en.wiktionary.org/wiki/smishing
https://www.droidwiki.org/wiki/Sideloading
https://en.wikipedia.org/wiki/Phishing