Flubot Android banking Trojan spreads via fake security updates

The Flubot Android malware is now leveraging fake security updates warning to trick users into installing the malicious code.

Threat actors behind the Flubot Android malware are now leveraging fake security updates to trick victims into installing the malicious code. The attackers use fake security warnings of Flubot infections and urging them to install the security updates.

Researchers at New Zealand’s computer emergency response team (CERT NZ) spotted the fake security warnings used to deceive the Android users:

“Your device is infected with the FluBot® malware. Android has detected that your device has been infected,” states the fake security warning observed by the researchers. “FluBot is an Android spyware that aims to steal financial login and password data from your device. You must install an Android security update to remove FluBot.”

The messages also instruct the victims to enable the installation of unknown apps to allow the installation of fake security updates.

Flubot has been active since late 2020, it was first observed targeting Spanish users. Since March 2021, the malicious code was also employed in attacks aimed at several European countries as well as Japan.

In March, experts from Swiss security outfit PRODAFT estimated that the number of infected devices worldwide was approximately 60,000.

”The PTI team has deanonymized the C&C server and discovered that FluBot has already infected more than 60,000 victims and stolen over 11 million phone numbers.” states the report.

The Android malware has been used to steal banking credentials, payment information, and sensitive data from infected devices.

In past attacks, the malware was spreading by spamming text messages to contacts from infected phones that instruct them to install tainted apps from servers under the control of the attackers.

The malicious code also requests permissions to access the Android Accessibility service, implemented to assist users with disabilities in using Android devices and apps, but that was abused by threat actors to carry out malicious activities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.