The FluBot malware is using new tactics to infect Android devices, trying to trick victims into downloading and running the virus from fake security update warnings.

The Emergency Response Team New Zealand Computers (CERT), through its official Twitter profile, explained that, first, criminals send an SMS message to the target, warning of lost orders or stolen photos that are being made available online. At the end of the message, a link to a website is provided.

UPDATE: The installation page for #Flubot has changed to look like a warning page. If you see this page close the page IMMEDIATELY and DO NOT click “Install security update”. Advisory update to follow. pic.twitter.com/TDam5HEphz

— CERT NZ (@CERTNZ) September 30, 2020

When the site is accessed, a message is displayed, alerting visitors that your Android devices are infected with FluBot. Soon after, it asks for an Android security update to be installed to remove the virus. The message also asks victims to enable the installation of unknown apps on their devices in case the notification that malicious programs cannot be installed appears.

CERT explains that if a device is displaying the page, it is not necessarily infected with FluBot. However, if the instructions on the website are followed, the virus will definitely install itself on the device.

The history of the FluBot

FluBot, also known as Cabassous and Fedex Banker, is banking malware that has been active since mid-2020, and is used to steal banking credentials, payment information, read text messages and acquire contacts from infected devices.

At the beginning of its operations, its attacks were focused on Spain , but over time it has expanded to other countries in Europe, such as Germany and the United Kingdom, and also to Australia and Japan

In March, the police in Spain claimed to have arrested the leaders of the criminal team responsible for the FluBot. In the same month, the Swiss security firm PRODAFT claimed that these viruses had already infected about 25 thousand devices, with contact information for about 60% of the population from Spain.

Previous reports of FluBot attacks have shown that it infects Android phones via text messages that ask victims to install malicious apps downloaded from servers controlled by criminals.

After some time of infection, both in the previous version and in the alerted by CERT, it asks the user for additional permissions, which allow them to access the Android accessibility service, thus allowing the virus to run and hide malicious user interface activities.

All of this results in FluBot effectively taking control of the infected device, and gaining access to the user’s bank account and payment information, from phishing processes where fake interfaces are placed above the real applications, without the victim’s knowledge.

FluBot also collects and sends cell phone contacts to its command and control server (computer responsible for controlling and giving orders to malware), monitors system notifications to observe the activities of applications, reads SMS messages and can make phone calls.

If you believe your device may be infected with FluBot, the most recommended actions are to remove it from anti-virus solutions for Android, or directly deleting the application that, according to the battery manager, is using energy in an unusual way for the device. This unusual load spend is one of the signs of this malware’s attack.

In a more extreme measure, a factory reset of Android phones also removes FluBot.

Source: BleepingComputer, BugsFighter