FluBot malware takes Australia by storm

While the FluBot malware sounds contagious and high-tech, it’s important to understand the social engineering that goes into a scam like this. Let’s dive into what a Flubot attack looks like, what it does, and how to defend against it.  

What is smishing?  

“Smishing” is a cyberattack that combines SMS and phishing. This attack occurs on your mobile network in the form of a text inviting you to click on a link. Smishing attacks can be enticing, threatening, or provocative, but the end goal is to goad you into clicking the link in the message. Once you do, hackers can redirect you to a fake page where they can steal your credentials, snag your personal info, or infect your device with ransomware. 

The Flubot attack 

The Flubot attack typically involves the following steps: 

1. A mobile user receives a text message impersonating a popular brand. In Australia, the scammers appear to be impersonating Telstra, while European Flubot messages appear to come from a courier company. Other brands besides Telstra may be impersonated.  

2. Users are enticed to click on the link with the promise of hearing a missed voicemail; for example: “A voicemail message was left for you at 08.36 on 20/8. Please visit: [link].” 

3. Users are taken to a website, again impersonating a trusted brand, and asked to install an app called Voicemail71.APK to access the missed voicemail.  

4. Doing so installs Flubot malware, giving attackers complete access to your phone.  

At present the malware only works on Android phones, although iPhone users may also receive the text messages.  

What harm can Flubot do?  

The main concern with Flubot is its potential to steal credit card numbers and access online bank accounts. As of August 23rd, the ACCC reported over $5500 in losses linked to this attack, with the potential for much more.  

Flubot can also allow attackers to: 

• Install spyware to watch as users type in passwords 

• Steal personal information 

• Exfiltrate phone contacts and use these as potential new targets 

• Open browser pages 

• Read and send SMS messages without the user knowing 

• Initiate phone calls without the user knowing 

• Disable Android’s built-in protection (Google Play Protect) and block the installation of third-party security software 

• Block attempts at manual removal (unless safe mode is activated on the device) 

Users may receive an alert from Telstra (the real Telstra) that they have been hit by the scam, but the network operator says it is difficult to block Flubot at the network level because the malware link is constantly changing.  

How to defend against Flubot 

The best way to defend against Flubot is to practice good cyber hygiene and avoid clicking on a suspicious link in the first place. 

• Watch for poorly-spelled text messages that are riddled with typos. It’s not that the attackers are necessarily bad spellers; adding a few typos is likely a hacking technique to avoid triggering scam detection. 

• Do not click on links sent from unknown numbers. 

• Report suspicious texts to Scamwatch, delete the text and block the number.   

• Do not install apps from third-party stores.  
   

If you find out that you have installed the Flubot malware: 

• Contact your bank immediately, ask them to block access and change your banking passwords. 

• Contact IDCare if you believe you have had personal information stolen.   

• Report the attack to Scamwatch.  
   

To remove the malware, either: 

• Perform a factory reset of your phone and restore to a version prior to the malware being installed.  

• Change your passwords. 

OR 

• Go to Settings > Accessibility and look for any suspicious or unknown apps that you do not remember installing. Clicking on it will typically bring up a message such as “you cannot perform this action”.  

• Reboot your phone to safe mode.  

• In safe mode, go to Settings > Apps, find the suspicious app and uninstall it. 

• Enable the security settings on your phone. 

• Change your passwords.