FluBot Android Malware Spreading Rapidly Through Europe, May Hit
May 3, 2021
After a brief dip in activity in early March 2021, which is attributed to arrests made by Spanish authorities,[i][ii] the FluBot Android malware has picked back up, spreading throughout various countries in Europe via its SMS package delivery scheme. Its latest victims include Android users in the United Kingdom, Germany, Hungary, Italy,[iii] Poland, and Spain, based on Proofpoint and opensource information,[iv] and it may be on the cusp of spreading among US users. Proofpoint researchers have reverse engineered samples of FluBot versions 3.7 and 4.0 used with FedEx, DHL, and Correos lures and detail our findings below.
Recent FluBot Activity
The FluBot threat actors have substantially branched out beyond their initial target of Spain, which originally accounted for the vast majority of infections since the malware’s discovery in late 2020.[v] The campaigns now encompass the UK, Germany, Hungary, Italy, Poland, and Spain with new recipients, including the U.S., likely to be added.
Proofpoint has observed over 700 unique domains being used in the English-language campaign alone, which is almost exclusively hitting UK users. According to Proofpoint data, the campaign in the United Kingdom began with messages from Germany but were quickly replaced by messages from UK senders. The German-language messages were turned off once the UK messages were established, indicating a conscious effort to spread FluBot from country to country. Proofpoint estimates that there are about 7,000 currently infected devices spreading the English-language campaign through the UK, but the volume of malicious SMS messages can number in the tens of thousands per hour and some mobile subscribers have received up to six SMS messages with the FluBot link.
Proofpoint has seen German and English-language SMS messages being sent to U.S. users from Europe, which may be the result of the malware sending to everyone on the infected devices’ contact lists. However, we are not yet seeing a concerted effort to infect U.S. phones in the way that we have in the UK.
FluBot continues to strictly operate via SMS with no observed spreading via email at this time. The FluBot versions analyzed by Proofpoint impact at a minimum Android SDK version 7.0 and target Android SDK version 9.0.
FluBot: A Breakdown
Proofpoint researchers have reverse engineered samples of FluBot versions 3.7 and 4.0 and determined they have the same functionality but differ in some elements of their obfuscation and C2 communication.
Regardless of the malware version or lure, each FluBot infection begins with a potential victim receiving an SMS message impersonating a delivery service. The messages are variations on delivery themes (Figure 1), such as “FEDEX Your package is arriving, track here” and include links to compromised sites. If the victim follows the link, they are prompted to download a malicious app that, to lend credibility, has the delivery service’s logo as its icon and uses legitimate looking APK files (Android’s app file format) with FluBot encrypted and embedded inside.
Of the samples Proofpoint researchers have analyzed, FluBot v3.7 uses package names of com.tencent.mobileqq and com.tencent.mm with FedEx, DHL, and Correos lures while v4.0 uses a package name of com.eg.android.AlipayGphone with DHL lures.
Figure 1. Sample of lures.
After the app is installed, user interaction is required to provide the malware with full access to the device via the Android Accessibility Service and Notification access. Figure 2 show the sequence of prompts with a fake FedEx lure that lead the victim through providing this access.
Figure 2. Action, installation, and access notifications
Once given the permissions, both FluBot versions act as spyware, SMS spammer, and credit card and banking credential stealers all in one. Reaching out to the C2 server, the malware sends the victim’s contact list and retrieves an SMS phishing message and number to continue its spread using the victim’s device.
Additional functionality (Figure 3) includes intercepting SMS messages, USSD messages from the telecom operator, and app notifications, opening pages on a victim’s browser, disabling Google Play Protect to prevent its detection, opening a SOCKS connection and creating a SOCKS proxy for communication depending on the C2 request, and uninstalling any app as directed by the C2. The malware also uses the system’s “locale.getLanguage()” to set the text language for interfacing with the victim, ensuring they will be none the wiser when they encounter notifications.
Figure 3. Part of the code that handles commands from C2.
Another key part of the malware’s functionality is its ability to install display overlays for various banking apps and Google Play verification (Figure 4). When the malware has captured the victim’s credit card information, the card number format is validated locally and then sent to the C2 for exploitation (Figure 5).
Figure 4. Google Play verification.
Figure 5. Code of victim credit card data being assembled.
In the samples Proofpoint researchers analyzed, there is a change in the obfuscation of the class names. Version 3.7 in fake FedEx and Correos campaigns, does not obfuscate the class names while v3.7 and v.4.0 in DHL campaigns use obfuscated class names (Figures 6 and 7). All versions have string and method names obfuscated.
Figure 6. Class names in v3.7 using FedEx lure.
Figure 7. Class names in v4.0 using DHL lure.
FluBot uses a domain generation algorithm (DGA) to connect to its C2 server, generating a list of domains to try until it finds one it can reach. Using this method, the threat actors can switch the domains they are using for C2 communication quickly as they become blocked or taken down.
In FluBot v3.7 the number added to the seed used by DGA is static whereas in v4.0 the number added to the seed is specific to the language set of the victim’s device (Figure 8). Version 3.7 is using the TLDs ".ru,” ".com,” and ".cn" while v4.0 is using the TLDs “.ru,” “.su,” and “.cn.”
Figure 8. FluBot sets the app language and determines DGA number to be added.
For communication with the C2 FluBot uses the HTTP Using POST method on port 80 with POST body encrypted and then encoded to base64 (Figures 9 and 10).
Figure 9. Image of encryption and base64 encoding of traffic.
Figure 10. Assembled HTTP packet to send data to C2.
FluBot is likley to continue to spread at a fairly rapid rate, moving methodically from country to country via a conscious effort by the threat actors. As long as there are users willing to trust an unexpected SMS message and follow the threat actors’ provided instructions and prompts, campaigns such as these will be successful.
To reduce your personal risk of becoming a victim of FluBot, Proofpoint recommends that all mobile users: