International Authorities Take Down Flubot Malware Network

International law enforcement has taken down the infrastructure behind Flubot, a nasty piece of malware which had been spreading with unprecedented speed across Android devices globally since December 2020.

Europol revealed Wednesday that a collaboration between law enforcement in 11 countries led to the disruption of the Flubot network in early May by Dutch Police, or Politie, “rendering this strain of malware inactive,” according to the agency.

Law enforcement authorities of Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the United States, coordinated by Europol’s European Cybercrime Centre (EC3), participated in the effort.

Specifically, EC3 teamed with national investigators in affected countries to establish a joint strategy and provided digital forensic support, as well as facilitated the exchange of operational information across various national entities, the agency said.

The international law-enforcement team will continue to seek the individuals behind the campaign, who are still at large, according to Europol.

Spreading Like Wildfire

Flubot spread via text messages that baited Android users into clicking on a link and installing an application to track to a package delivery or listen to a fake voicemail message. These malicious links installed the FluBot trojan, which then asked for permissions on the device that led to a variety of nefarious and fraudulent behavior.

While FluBot acted like a typical trojan—stealing various credentials to banking apps or cryptocurrency accounts and disabling built-in security–its operators used unique methods to ensure the malware spread like wildfire.

Once installed on a device, Flubot would access a user’s contact list and begin sending new messages to everyone on the list, creating a dynamic, viral effect that transcended time zones or regions, researchers from BitDefender observed in January.

“These threats survive because they come in waves with different messages and in different time zones,” they wrote in a report published at the time. “While the malware itself remains pretty static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing.”

This feature is what allowed Flubot’s operators to quickly change targets and other malware features on the fly, which broadened their attack surface from geographical regions as disparate as New Zealand and Finland in a flash, researchers noted.

Changing Tactics and Sharing Networks

In addition to using targets’ own contact lists to propagate the malware, Flubot operators employed some unique and creative tactics to try to dupe Android users into downloading the trojan and even teamed up with another mobile threat during its global campaign.

Last October, Flubot used a fake security warning trying to trick users into thinking they’d already been infected with Flubot to get them to click on a fake security update spread via SMS. The unique tactic was used in a campaign against Android users in New Zealand.

Several months later in February of this year, Flubot hitched its infrastructure wagon up to another mobile threat known as Medusa, a mobile banking trojan that can gain near-complete control over a user’s device, researchers from ThreatFabric discovered. The partnership resulted in high-volume, side-by-side global malware campaigns.

Indeed, even with Flubot out of the picture, there are still a number of threats of which Android users need to be wary. An IoT malware that can exploit existing vulnerabilities dubbed “EnemyBot” recently emerged that’s targeting Android devices as well as content management systems and web servers.

Other pervasive threats such as the Joker fleeceware and malware that can conduct fraudulent transactions on an infected device such as Octo and Ermac also continue to pose a significant risk for Android users, according to a recent report on current mobile threats by ThreatFabric.