FluBot Malware — All You Need to Know & to Act Now

FluBot is a newly discovered Android banking malware family whose presence has been increasingly worrying in the past months.

Although it uses many of the tricks found in older malware families, this malware family has made a lot of progress in just a handful of months, infecting many devices, spreading quickly and inflicting serious damage.

The malware targets different mobile apps based on the device’s language setting. So far, there have been detections of the malware targeting banking apps mainly in Spain, but evidence suggests it may move on to other markets, such as Poland, Germany, Hungary and the UK.

Besides targeting mobile banking apps, FluBot has its sights on cryptocurrency-related mobile apps as well; regardless of the device’s language setting.

The FluBot Malware Infection usually follows this pattern:

FluBot infection pattern

* (C&C = command and control server)

C&C — Domain Generation Algorithm (DGA)

Once the malware application has been installed and opened, it asks the victim to enable its accompanying accessibility service.

After the rights are granted, the malware grants itself several permissions by abusing the accessibility service and starts trying to connect to a C&C server.

Interestingly, there is no server or domain name hardcoded in the application, the malware dynamically generates domain names which it then attempts to resolve.

It may take a few tries until it manages to find a resolvable domain name, after which the real communication begins.

One of the earlier samples trying to connect to a C&C server using generated domain names

Based on our research the FluBot evolves quickly. The current samples use DNS over HTTPS (DoH) to resolve the generated domain names.

This is likely done to make it harder to detect the malware — the malware contacts legitimate domains (cloudflare-dns.com, dns.alidns.com, dns.google) and resolves the domain name using those services.

Once it manages to resolve one of the generated domain names, communication with the C&C server begins.

One of the earlier samples trying to connect to a C&C server using generated domain names

The first evolution of the FluBot malware only used CloudFlare’s DoH service for domain name resolution. Newer samples are using multiple services as seen in the screenshot above.

Injecting on top of the apps

After establishing a connection to the attacker’s server, the malware sends a list of installed applications to the server.

Then, the C&C responds with a list of applications it wants to target. This leads the malware to retrieve injects which are then shown on top of the targeted applications.

In the end, this results in the victim unknowingly entering their credentials into this spoofed overlaid view.

The video above shows the injection happening on top of the BankInter application.

The image gallery below shows other examples of the injects targeting other applications.

In our investigation we discovered the following banking injects:

"Bankinter" - com.bankinter.launcher.html "BBVA" - com.bbva.bbvacontigo
"Cajasur"- com.cajasur.android
"Grupo Cooperativo Cajamar' - com.grupocajamar.wefferent
"Imagin Bank" - com.imaginbank.app
"Kutxabank" - com.kutxabank.android
"Ruralvia" - com.rsi
"Laboral" - com.tecnocom.cajalaboral
"Banco Santander" - es.bancosantander.apps
"Bankia" - es.cm.android
"Evo Banco" - es.evobanco.bancamovil
"IberCaja" - es.ibercaja.ibercajaapp
"Liber Bank" - es.liberbank.cajasturapp
"Openbank" - es.openbank.mobile
"Pibank" - es.pibank.customers
"Unicaja Banco" - es.univia.unicajamovil
"ING" - www.ingdirect.nativeframe

And two related to cryptocurrency trading platforms:

"Binance" - com.binance.dev 
"Coinbase" - com.coinbase.andriod

Other FluBot Malware functionality

FluBot malware possesses the ability to perform other harmful actions on the victim’s device, including:

Arguably all these are very powerful in the wrong hands and can be very damaging for the victims and their well-being.

And how does one get rid of FluBot?

When the victim tries to uninstall the malware from their device, the malware actively protects itself against that by closing the settings app whenever the user tries to uninstall it. As seen in the video below:

Though, luckily there are several ways how you can uninstall the malware despite this protection.

Recently, another way of uninstalling the infected has appeared — an analyst created an Android application. This application uninstalls the FluBot application from your phone.

However, recent instances of the FluBot malware are defending against this easy way of uninstalling the app (again showcasing the rapid pace of development of this malware).

The code that detects the uninstaller — the uninstaller’s package name is space.linuxct.malninstall

How does ThreatMark protect against this malware?

ThreatMark’s SOC team is constantly on the lookout for the latest threats in the digital world. Their mission is to discover threats such is FluBot, dissect and learn the modus operandi.

Once the details are discovered the SOC team updates the Threat Intelligence of our ThreatMark Anti Fraud Suite.

Onward all our clients receive detections and alerts on any signs of infection and overlay inject. This intelligence further allows our clients to block any fraudulent transactions, or other activities, coming from the infected devices.

To learn more about how ThreatMark detects the FluBot malware, and other threats, contact us.

Mobile malware is an ever-evolving threat that requires constant monitoring. With quickly evolving malware variants, such as FluBot, it’s important to have an up-to-date database of threats at your disposal to be able to effectively protect your users against becoming the victims of these attacks.

Companies can invest in advanced technological solutions — like ThreatMark’s AFS -that can help the process of detecting, preventing, and mitigating mobile malware attacks before they inflict any damage.

Originally published at https://www.threatmark.com.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store