FluBot Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on FluBot Android malware, that impersonates mobile banking applications to draw fake webview on targeted applications.
Updated on
April 19, 2023
Published on
March 25, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Advisory
Malware Advisory
Type
Credential Stealer, Android Malware
Name
FluBot malware
Affected Industries
Banking
  A newly discovered Android malware, dubbed FluBot, impersonates Android mobile banking applications to draw fake webview on targeted applications. The malware primarily focuses on stealing credit card details or online banking credentials, apart from personal data.  

Execution

FluBot is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control center. It infects Android devices by posing as FedEx, DHL, Correos, and Chrome applications and forces the unsuspecting user to change the Accessibility settings on the device so as to maintain persistence on the device. It leverages fake login screens of prominent banks. Once the user enters their login details on these phony pages, the data is immediately sent to the malware operator’s control center. Which the malware operators easily exploit. It intercepts all banking-related OTPs by replacing the default SMS app on the targeted device. Thus, it receives access keys sent via SMS. Furthermore, it sends similar SMSes to other contacts, on the target device, to lure them into downloading the fake app. In a span of 2 months, the FluBot malware strain infected over 60,000 devices. Around 97% of its victims are located in Spain. Moreover, it has access to mobile phone numbers of around 11 million Spanish citizens.  

Impact

Business Impact
  1. Financial loss to the organization/ individual if its operations are interrupted
  2. Loss of brand reputation
  3. Compromised PII leads to social engineering attacks
Technical Impact
The malware creates a backdoor which grants access to the user’s device. This enables the attacker to perform malicious operations and even launch other malware variants.  

Indicators of Compromise

   SHA1
  1. 1dd0edc5744d63a731db8c3b42efbd09d91fed78
  2. 325f24e8f5d56db43d6914d9234c08c888cdae50
  3. 479f470e83f9a5b66363fba5547fdfcf727949da
  4. 659cbdf9288137937bb71146b6f722ffcda1c5fe
  5. 6616de799b5105ee2eb83bbe25c7f4433420dff7
  6. a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
  7. affa12cc94578d63a8b178ae19f6601d5c8bb224
  8. c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
  9. e094dd02cc954b6104791925e0d1880782b046cf
  10. fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
    SHA256
  1. 30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67
  2. 1eb54ee1328ad5563e0e85a8ecff13cd2e642f5c6fc42e0e1038aeac0ee8cf2f
  3. 2277d20669267bbe9ff8a656258af0a33563c18c45cef3624eab67cf123c29a7
  4. 3bb0dbdb9ec7822dc53af230de0bdb908a558993619ac788c90eeeb5af6a1e14
 
Active C&C server domains
  1. xjnwqdospderqtk[.]ru
  2. nfiuerwtftasnuk[.]com
 
APK distribution domains
http[:]//2020[.]techbharat[.]org[.]in/status/  http[:]//amirapache[.]ir/pkg/
http[:]//anapa-dive[.]ru/pkge/ http[:]//audioquran[.]kz/www/
http[:]//Boutique[.]creolegarden[.]com/fedex/ http[:]//buguilou[.]com/p/
http[:]//canhair[.]net/parcel/ http[:]//cloudstrading[.]com/fedex/ 
http[:]//developer[.]team1global[.]com[.]au/pack/ http[:]//ekremakin[.]org/pack/
http[:]//elektroprommash[.]ru/pack/ http[:]//freeavporn[.]com/fedex/
http[:]//grahaksamachar[.]in/p/ http[:]//idea-soft[.]it/p/
http[:]//imw6[.]com/pack/  http[:]//imwedsonpassos[.]com[.]br/parcel/
http[:]//isabelsantos123[.]pt/p/  http[:]//itaperunatem[.]com[.]br/pkge/
http[:]//lamoraleja[.]com[.]co/status/  http[:]//landing[.]kofacins[.]com/pack/
http[:]//ln-lighting[.]com/pkg/ http[:]//mimi-mi[.]studio/pkg/
http[:]//muaadzawy[.]com/pkg/ http[:]//ouyangpengcheng[.]xyz/p/
http[:]//palinkapatika[.]com/pack/  http[:]//pescadorsportsgroup[.]com/pkg/
http[:]//portalcalamuchita[.]com[.]ar/pack/ http[:]//printing-packingshow[.]ir/fedex/
http[:]//raku-plus[.]com/pack/ http[:]//rpgbundle[.]info/status/
http[:]//sailorcrossfitmdp[.]com/fedex/ http[:]//skipshopping[.]net/fedex/
http[:]//srinterior[.]co[.]in/pkg/ http[:]//studiobonazzi[.]eu/fedex/
http[:]//telec[.]com[.]pk/pkg/ http[:]//teologianaweb[.]com[.]br/pkg/
http[:]//valks3d[.]com[.]br/fedex/ http[:]//thejoblessemperor[.]in/pkg/
http[:]//www[.]export-barazande[.]com/fedex/ http[:]//www[.]internetpathshala[.]co/p/
http[:]//www[.]larrecantofeliz[.]com[.]br/fedex/ http[:]//www[.]old[.]danacadesign[.]com/fedex/
http[:]//www[.]payamesavadkooh[.]ir/pack/ http[:]//www[.]pudhuveedu[.]in/p/
http[:]//www[.]raeloficial[.]com/pkg/ http[:]//www[.]recycom[.]gr/pack/
http[:]//www[.]zyzlk[.]com/p http[:]//www[.]old[.]da/
http[:]//www[.]zyzlk[.]com/pack/ http[:]//wxz14[.]com/p/
http[:]//xref[.]icu[:]9090/pkg/ http[:]//yangbin[.]100cuo[.]com/pack/
http[:]//yulu1953[.]cn/fedex/ https[:]//42sf[.]net/pack/
https[:]//84blog[.]xyz/pkg/ https[:]//aitao[.]site/pkg/
https[:]//alercehistorico[.]cl/pkg/ https[:]//amzstudy[.]com/pack/
https[:]//apartners[.]vn/pack/ https[:]//brighterdaysfi[.]com/fedex/
https[:]//byalex-photography[.]co[.]uk/pack/ https[:]//cbd-and-epilepsy[.]com/pack/
https[:]//cbd-and-seizures[.]com/p/ https[:]//contornosdesign[.]pt/pkg/
https[:]//cssincronbucuresti[.]ro/pkg/ https[:]//delhi[.]tie[.]org/p/
https[:]//dgeneration[.]in/pack/ https[:]//dumeiwu[.]com/p/
https[:]//elitekidsbookzone[.]sch[.]ng/pack/ https[:]//escuelaargentina[.]cl/p/
https[:]//fraternitykerala[.]org/pkg/ https[:]//garveylibertyhall[.]com/pack/
https[:]//getblogour[.]com/fedex/ https[:]//gladiadoresdevendas[.]com[.]br/pack/
https[:]//hentaivillage[.]com/parcel/ https[:]//illuminaticult[.]org/fedex/
https[:]//imrt[.]ac[.]in/pack/ https[:]//imrt[.]ac[.]in/pkg/
https[:]//industrial-land[.]vn/pack/ https[:]//jexchange[.]ga/pack/
https[:]//kidimy[.]org/pkg/ https[:]//lacasa-dh[.]nl/pack/
https[:]//londonroofingpros[.]co[.]uk/fedex/ https[:]//machupicchutraveling[.]com/pkg/
https[:]//mucc[.]com[.]au/p/ https[:]//mvpmsadhyapak[.]in/p/
https[:]//nakoblog[.]info/fedex/ https[:]//nen[.]vacad[.]net/pkg/
https[:]//pic[.]tnell[.]com/pkg/ https[:]//rishipes[.]co[.]nz/pack/
https[:]//ryansa[.]com/pkg/ https[:]//sdlformazione[.]it/p/
https[:]//sprintintercom[.]com[.]au/fedex/ https[:]//telugufusion[.]com/pkg/
https[:]//tuyennvtb[.]com/p/ https[:]//twospoonsfleet[.]co[.]uk/p/
https[:]//visotka[.]in/pack/ https[:]//weboyal[.]com/p/
https[:]//www[.]admh[.]in/fedex/ https[:]//www[.]agroescape[.]com/pkg/
https[:]//www[.]divam[.]ir/pack/ https[:]//www[.]nbkangxi[.]com/pack/
https[:]//www[.]omvshop[.]com/pkge/ https[:]//www[.]spave[.]com[.]pk/p/
https[:]//www[.]wwworks[.]com[.]au/p/ https[:]//www[.]ylem222[.]com/p/
https[:]//xatziemmanouiltools[.]gr/pkg/ https[:]//xn–thvitstore-c7a[.]com/pkg/
 

Mitigation

  1. Use updated antivirus software that detects and prevents malware infections
  2. Apply critical patches to the system and application
  3. Use strong passwords and enable 2FA over logins
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly  
  7. Open source platform recommendation to remove the malware:
https://www.xda-developers.com/psa-uninstall-flubot-sms-malware-with-malninstall/

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations