Android Banking malware floods Europe
The Zscaler ThreatLabZ security analysts warn of a banking malware called Flubot, which is currently up and running in the US and the UK, as well as other European countries.
Meanwhile, cases have also occurred in Germany, so that the LKA Lower Saxony has issued a general warning. The Android banking malware induces its victims to install the malicious code via a packet notification SMS in order to tap bank data. Flubot has extensive functionalities, with stealing credit card information being the most consequential. The malware can also bypass security features for multi-factor authentication of financial institutions.
Flubot’s infection cycle begins with a text message luring victims with the statement that they have either missed their package or a new package is being announced. The SMS message contains a malicious link that redirects users to a compromised website, which then downloads the Android banking malware Flubot. This app presents itself as one of the delivery notification apps of “Fedex”, “DHL” or “Correos”, in some cases also as “Chrome”.
Flubot is a typical Android banking malware with a wide range of features, including the interception of SMS messages and contacts, and also spreads itself by sending messages to this contact list. The malware also pulls up a list of installed applications and can also delete applications from an infected device. Credit card data is read out through fake system overlays. Unique features include the use of the Domain Generation Algorithm (DGA), which is used to contact command-and-Control (C&C) servers and RSA encryption of some of the communications sent to C&C servers. Also, the malware can disable Google Play Protect through the Android access feature.
Once installed, the malware monitors the applications opened by the victim. If the app turns out to be one of the targeted banking applications, it displays a fake overlay screen to the victim and eventually steals the login credentials. Another option for tapping into data is a fake Google verification page.
Due to the wide spread of the mobile operating system, attacks on Android users are on the agenda and will continue to increase at a rapid pace. Accordingly, Android users do well to be on their guard against mobile malware. Malware like Flubot has the full potential to compromise victims with features like stealing bank details and bypassing multi-factor security measures.
It is therefore advisable to stay away from third-party sources that spread Android apps and distrust all random links presented via email and SMS messages. ThreatLabZ’s security team provides proactive protection against advanced threats targeting Android banking apps. The Threat Researchers continuously track various Android malware families related to targeted attacks (Advanced Persistent Threats) targeting the Android ecosystem and continuously capture the latest malicious indicators.