A brief history of FluBot
Although FluBot is not a new threat, it is experiencing a resurgence. The malware first appeared in early 2021, originating in Spain and spreading throughout the United Kingdom and Europe. It infects victims’ smartphones by sending them an SMS posing as an official delivery company alert, informing them that a package was on its way and encouraging them to click on a URL to track it.
When you do so, you’ll be taken to a page where you can download a package tracking app. Surprisingly, the tracking app turned out to be malware, infecting the phone with nasty malware that spied on the user’s activities. Of course, the goal was to steal financial login information in order for hackers to steal your bank accounts. How considerate of you.
FluBot has new tricks up its sleeve
Hackers like the ones behind FluBot profit from people being unaware of their schemes and con games. As a result, as the affected areas of the world learned about the malware, they likely saw diminishing returns; government agencies in the FluBot’s targeted countries warned citizens about the malware, exposing the type of message that would try to trick users into downloading the problem in the first place.
So, what are the options for FluBot’s coders? They must progress. The hackers are bringing the world’s attention to FluBot, just as the Inception team brought the mark’s attention to the nature of the dream. When you click on the link in their malicious text messages, a pop-up warning that your phone is infected with FluBot appears. According to FluBot, the only way to get rid of FluBot is to download a “Android security update.” (Unsurprisingly, the “Android security update” is infected with FluBot.)
This pop-up could also be a warning that you have a special voicemail that you can only listen to through a specific app (not one of their most convincing ideas, in my opinion). These scams are becoming more common around the world; CERT NZ, New Zealand’s Computer Emergency Response Team, recently published an excellent blog post on the subject for its citizens, but it applies to anyone who may come across the FluBot scam.
How to prevent FluBot from infecting your smartphone
First and foremost, do not click on any of these links. In general, don’t click on strange links, such as those that ask you to track a package you didn’t order. That’s just good cybersecurity practice: always double-check a link’s legitimacy before opening it, whether on a smartphone, tablet, or computer. FluBot affects only Android phones; iPhones can receive the message and open the pop-up, but the app cannot be installed on the platform.
You can also disable the ability for your Android apps to install additional unknown apps without your permission. Apps like FluBot will be unable to infiltrate your device as a result of this. Go to Settings > Apps > Special access > Install unknown apps on Android 8 or later, then make sure “Not allowed” is selected for your apps. Change any app that says “Allowed” to “Not allowed.” If you’re using Android 7 or earlier, go to Settings > Security (or Lockscreen and Security) and turn off “Unknown sources.”
If you clicked on the link in the text message but didn’t download any apps, there doesn’t appear to be any danger at this time. FluBot, as far as we can tell, is only effective once you download the app linked in the pop-up; the link in the SMS only takes you to the pop-up, so that process shouldn’t infect your phone with malware on its own. Even so, CERT NZ advises that if you did click on the SMS link, you change your passwords just to be safe.
So, let’s say you clicked the link in the pop-up and downloaded the FluBot app that was hidden inside. Don’t be concerned. Factory reset your phone or restore from a backup from before you downloaded the FluBot app to completely remove any trace of FluBot from your device. Then change the passwords for all of your linked accounts. You should also contact your bank to ensure that no suspicious activity has occurred on your account. Then never, ever, ever, ever click or tap on an unexpected link again.