Stealing information by impersonating logistics companies


According to the calculation, at the end of February, about 60 thousand android devices fell victim to FluBot in Spain. In addition, more than 11 million phone numbers were captured by FluBot operators.

Following the success of FluBot attacks in Europe, other malware actors have also begun copying malware tactics that impersonate logistics companies via SMS messages, as FluBot uses.

FluBot, which uses an encrypted protocol that converts domain names to IP addresses; Italy continues to increase its attacks in more countries around the world, including the UK, Denmark, Finland, Sweden, Norway and Japan, and even expand its network to launch attacks in some countries for the first time.

Protect your cell phones with security software

In the statement made by ESET, android users who secure their mobile devices with ESET Mobile Security are also protected against Flubot and can detect all malware called variants of the Android / TrojanDropper.Agent family. However, many android users are not protected by a mobile security solution and are therefore vulnerable to this threat.

It looks like an “innocent” SMS from the cargo company

FluBot usually launches its attacks by sending SMS messages to large audiences. This message contains a malicious link as well as a message about the delivery or shipment. In March 2021, ESET telemetry detected an SMS targeting android users in Germany as follows: “Your package is about to be delivered, you can track your delivery here.”

Redirects to fake website

People who click on the malicious link DHL; It is redirected to the website of an international logistics company that appears to be FedEX, or recently UPS. In addition, regional or local logistics companies are among the companies FluBot has impersonated. The goal is to have android users click a link similar to the FedEx app to allow them to download and install a malicious application associated with FluBot. The actual FedEx Mobile application does not ask for permission to use accessibility services.

When the malicious application is installed, it detects banking or other crypto-related applications on the mobile device. The next time the user opens these financial apps, FluBot applies a highly realistic but fake overlay window over the original app to steal credentials. iPhone users are also targeted by FluBot, but there are currently no malicious apps available for iPhone users. Instead, phishing scams are used, such as a fake Amazon survey that requests credit card details with the promise of rewards.

Watch out for malicious SMS messages, fake apps and other tricks

Experts made the following recommendations to avoid exposure to the rapidly spreading FluBot attacks;

• Think twice before clicking on a link sent via SMS.

• Instead of clicking on the link, go to the official website and enter the tracking number provided to make sure it is genuine.

• Do not download applications other than official app stores such as Google Play.

• Be sure of what permissions you give apps. If you find that the requested permissions are suspiciously irrelevant to the application’s stated purpose, you may be against malware.

• Before downloading an application, research about the developer of the application, read ratings and user feedback about the application. Beware of negative comments, some apps may be too good to be true.