Flubot Spyware spreading to Android Devices Through Delivery Scam

Android users across the UK and EU are being warned of a new Spyware scam spreading to devices. The attack vector is via text and delivers a Spyware strain named Flubot. The malware is delivered to targets through SMS texts and prompts them to install a “missed package delivery” app. If the target follows the link, they are taken to a delivery website and asked to download the delivery company’s app. The app, of course, is the Flubot spyware. Upon installation, Flubot is immediately dangerous and sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device, and extracting away various pieces of personal information.

Flubot connects to a hacker’s command-and-control center (C&C), where it relays all data back to. The spyware sends text messages to everyone in the users’ contact list with the same initial link, aiming to propagate virally.

The U.K.’s National Cyber Security Centre (NCSC) has issued security guidance about how to identify and remove FluBot malware, while network providers, including Three and Vodafone, have also issued warnings to users over the text message attacks.

So far, most of the phishing texts are branded to look like they are being sent from DHL, the NCSC said, but warned, “the scam could change to abuse other company brands.”

The NCSC claims Flubot is damaging enough that the only solution for removal is a factory reset.

The text a target receives. Though this example shows DHL, other courier companies have been reported.


The attack has been reported to have several variations. The most obvious is changing the supposed courier company that sends the text. In another case, the text purports to be from Amazon and includes an almost legitimate-looking link. However, the link swaps out an ‘o’ for a zero within.

Telecom carriers Vodafone UK, Three UK and EE have all confirmed the scam is traversing their networks, which collectively have more than 58 million subscribers across the country.

Anyone who receives what they believe to be a scam text is advised not to click on any links and forward the text to “7726” a “free spam-reporting line” established to combat fraud in the U.K. Finally, delete the message and block the sender.

The fraudulent site where the target is asked to download spyware

If a user has already clicked on the link, the NCSC warned not to enter any password or other personal information. To remove the malware from the infected device, “Perform a factory reset as soon as possible,” the NSCS guidance reads. “The process for doing this will vary based on the device manufacturer…Note that if you don’t have backups enabled, you will lose data.”

The NCSC added that if a user has entered their personal information, it’s critical to change those passwords immediately to prevent further compromise.

The flubot spyware was initially spotted in the UK, followed by Hungary and other EU states. It is believed that the campaign will eventually hit American shores.

Flubot Spyware Analysis

The analysis of flubot spyware has been carried out by Prodaft.

FluBot uses a common Android malware packer that loads the decrypted DEX in runtime. Without any hooks, analysts can access the dropped DEX in the ‘app_DynamicOptDex‘folder. Only string obfuscation is present in the decrypted DEX.

Flubot spyware has a number of commands, most of which are self-explanatory.

Other than targeted apps, FluBot can trigger on-demand credit card phishing if it gets the “CARD_BLOCK” command from the server. FluBot blocks all incoming notifications when the BLOCK command is received from the server. FluBot malware is able make USSD calls to the codes sent from the C&C server.

FluBot is also able to set itself as the default SMS application by abusing accessibility permissions, thus allowing the malware to send SMS messages on demand.

Once it has infected the victim’s device, FluBot sends all phonebook (contact list) numbers to the C&C server. FluBot uses a domain generation algorithm (DGA) to obtain the address of the C&C server. The DGA creates 2000 domains according to the current year and month. Domains consist of 15 characters with “com,” “ru,” and “cn” TLDs.

The C&C panel contains the tabs “Bots,” “Stats,” “Commands,” “Inject List,” “All Logs,” and “Inject Logs.” The threat actor is able to manage every infected device with the following list of commands in the commands tab.

The C&C panel also contains detailed statistics of the infected victims. At the time of analysis, FluBot had already infected more than 60,000 devices.

The statistics page of the panel also contains details about the device manufacturers, Android version, device language, and telecommunication operator name. When FluBot
successfully obtains the banking credentials, they are sent to the C&C and stored with in a log format.

Each log entry for the infected device may contain the SMS messages, banking credentials, device contacts, and application webview text logs, all of which can be used for extracting any kind of text-based credentials from every application that uses webview panes.


Given that the flubot spyware can only be cleaned from a phone by way of factory reset, it is extremely important users have protection against threats like it. There are a number of tools that can protect devices, and one of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *