Police takedown SMS-based FluBot spyware affecting Android phones

The FluBot malware has been stopped by a successful Police operation.  FluBot had been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected Android smartphones across the world.  It has been one of the fastest spreading mobile malware seen to date.

The takedown was the result of an international law enforcement operation involving 11 countries and coordinated by Europol’s European Cybercrime Centre (EC3).  This resulted in the Dutch police successfully disrupting the FluBot infrastructure and taking over its control during May 2022.  The investigation is ongoing to identify the individuals behind this global malware campaign.

How Flubot Worked

First spotted in December 2020, FluBot gained traction in 2021, compromising a huge number of devices worldwide, including significant incidents in Spain and Finland.  Cases were seen across Europe and in Australia.

The malware was installed via text messages, which asked Android users to click a link and install an application to track a package delivery or to listen to a fake voice mail message. Once installed, the malicious application would ask for accessibility permissions. The hackers would then use this access to steal banking app credentials, or cryptocurrency account details, and to disable built-in security mechanisms.

FluBot was able to quickly spread due its ability to access an infected smartphone’s contacts.  Messages containing links to the malware were then sent to these numbers, helping to spread the malware.

What to do if your Device has been infected?

FluBot malware is disguised as an application, so it can be difficult to spot. There are two ways to tell whether an app may be malware:

  • If you tap an app, and it doesn’t open
  • If you try to uninstall an app, and are instead shown an error message

If you think an app may be malware, reset the phone to factory settings.

Find out more on how to protect yourself from mobile malware.


International Cooperation

This case highlights the importance of cross-border cooperation in taking down organised criminal groups.  EC3 brought together the national investigators in the affected countries to establish a joint strategy, provided digital forensic support and facilitated the exchange of operational information needed to prepare for the final phase of the action. The J-CAT, hosted at Europol, also supported the investigation.  A virtual command post was set up by Europol on the day of the takedown to ensure seamless coordination between all the authorities involved. The following authorities took part in the investigation:

  • Australia: Australian Federal Police
  • Belgium: Federal Police (Federale Politie / Police Fédérale)
  • Finland: National Bureau of Investigation (Poliisi)
  • Hungary : National Bureau of Investigation (Nemzeti Nyomozó Iroda)
  • Ireland: An Garda Síochána
  • Romania: Romanian Police (Poliția Română)
  • Sweden: Swedish Police Authority (Polisen)
  • Switzerland: Federal Office of Police (fedpol)
  • Spain: National Police (Policia Nacional) 
  • Netherlands: National Police (Politie)
  • United States: United States Secret Service

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including mobile malware. The 12th EAST EPTF meeting took place on 13 April 2022.

IOCTA 2021 Published by Europol

Europol has published its Internet Organised Crime Threat Assessment for 2021 (IOCTA 2021).  This highlights 5 Key Threats:

  • Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multi-layered extortion methods such as DDoS attacks.
  • Mobile malware evolves with criminals trying to circumvent additional security measures such as two-factor authentication (2FA).
  • Online shopping has led to a steep increase in online fraud.
  • Explicit self-generated material is an increasing concern and is also distributed for profit.
  • Criminals continue to abuse legitimate services such as VPNs, encrypted communication services and cryptocurrencies.

IOCTA 2021 looks into the (r)evolutionary development of these trends, catalysed by the expanded digitalisation of recent years.

  • Criminals have been quick to abuse the current circumstances to increase profits, spreading their tentacles to various areas and exposing vulnerabilities, connected to systems, hospitals or individuals.
  • While ransomware groups have taken advantage of widespread teleworking, scammers have abused COVID-19 fears and the fruitless search for cures online to defraud victims or gain access to their bank accounts.
  • The increase of online shopping in general has attracted more fraudsters.
  • With children spending a lot more time online, especially during lockdowns, grooming and dissemination of self-produced explicit material have increased significantly.
  • Grey infrastructure, including services offering end-to-end encryption, VPNs and cryptocurrencies continue to be abused for the facilitation and proliferation of a large range of criminal activities.

This has resulted in significant challenges for the investigation of criminal activities and the protection of victims of crime.

“Cybercrime is a reality and law enforcement worldwide needs to catch up,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre (EC3), ”…….Only by working together can we create innovative ideas and practical approaches that can put a halt to cybercrime acceleration. It is essential to establish the environment and resources required to do so,” he added.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including social engineering and online transactions.  The 11th EAST EPTF meeting took place on 10 November 2021.