Financial transaction

FluBot Android malware targets Finland in new SMS campaigns

The National Cyber ​​Security Center of Finland (NCSC-FI) has issued a warning about rising FluBot Android malware infections due to a new campaign that relies on SMS and MMS for distribution.

FluBot seeks to steal the credentials of its victims’ financial accounts by overlaying phishing pages on top of legitimate banking and cryptocurrency apps.

Additionally, it can access SMS data, make phone calls, and monitor incoming notifications to retrieve temporary authentication codes such as one-time passwords (OTPs), required in addition to regular login credentials.

Finnish authorities issued a similar warning last year after detecting the spread of 70,000 malicious messages in just 24 hours.

This time, no precise figures were provided, but the NCSC-FI said that “thousands of malicious messages are circulating” towards potential victims.

SMS decoys

FluBot operators use SMS messages claiming to contain links to voicemail, notifications of missed calls, or alerts about incoming money from an unknown financial transaction.

FluBot SMS circulates in Finland
FluBot SMS samples spotted in Finland (NCSC-FI)

The links in these messages direct the victim to a website that hosts the FluBot APK, which victims are instructed to download and install to learn the details of the transaction.

Fake voicemail alert prompting user to download app
Fake voicemail alert prompting user to download app (NCSC-FI)

The app asks victims to grant risky permissions on Android, such as accessing SMS data, managing phone calls, and reading the user’s address book.

Threat actors use the contact list to send second wave SMS from compromised devices. Since these messages come from a known source, recipients are more likely to open them and infect their devices.

Attackers don’t miss any opportunity to monetize and if the malicious SMS reaches an iPhone user, they are redirected to premium subscription frauds and other scams.

The NCSC-FI clarifies that simply opening the links does not install malware on your device, but users should avoid installing APKs outside of the official Play Store.

What to do in case of infection

If your device is already infected with FluBot, a factory system reset should eliminate the malware. If you’re restoring from a backup, it’s important to make sure it doesn’t contain the malware.

If you plan to use a banking app after infection, contact your bank and follow their instructions. Also, closely monitor all your transactions and report any fraudulent activity immediately.

It is also recommended to reset the passwords of the accounts used from the compromised device.

If you are an iPhone user and inadvertently subscribed to premium services via a FluBot SMS, contact your carrier and ask them to cancel the subscription. If possible, permanently ban subscriptions to these services.