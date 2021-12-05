The National Cyber ​​Security Center of Finland (NCSC-FI) has issued an alert about a malware called FluBot, which spreads via SMS like flu (in English, “flu” for “influenza” is flu) and targets devices Android and iPhones. About 70,000 cell phones were infected in just 24 hours, according to the statement published by NCSC-FI, in a malicious campaign based on voice mail message notification and communication from the user’s mobile network provider.

The language used by criminals in their campaigns is Finnish, but without the usual accented characters such as å, ä and ö. Also, characters like +, /, &, %, and @ are inserted in illogical places in the text to make it harder for mobile operators to filter messages. For the FluBot flu to spread to other countries, hackers just need to change the campaign to reach users of other languages ​​– such as Portuguese, for example.

Examples of Finnish messages received by FluBot victims – Image: Reproduction/NCSC-FI

Flu can hit hundreds of thousands of devices quickly

FluBot was already active in the Nordic country in June of this year, and if the current campaign is as harmful as the previous one, hundreds of thousands of devices could be hit by the malware quickly. In the past attack, cybercriminals distributed the FluBot via bogus SMS, which claimed to help victims track parcel deliveries or listen to a voicemail message.

There were also cases of links inserted in messages directing victims to fake web pages that warned that a user’s Android device was infected with malware and urgently needed to install a security system. The famous phishing.

In the current FluBot campaign, the use of parcel tracking notices through the shipping service of DHL, one of the largest logistics companies in the world, is being noticed. The harmful link to install the malware is present in the text of the messages.

The current NCSC-FI alert points out that all SMS messages have in common a request to the recipient to open a link. iPhone users are directed to various fraudulent websites looking for credit card details, among other fraud attempts.

Just clicking on the link still doesn’t install the malware, as the next step of the attack is to ask the user’s permission for this installation. If the person allows the installation of the supposed security system or order tracking app, for example, the FluBot is installed. It is then able to steal banking credentials, text messages and contact information from victims’ devices.

In the latter case, the malware “spreads like the flu” by sending scam messages – which ask for confirmation of sensitive information, such as bank or credit card details – to the contacts of those who have already been infected.

Users of devices infected with FluBot are advised by NCSC-FI to do a factory reset and restore their devices from a backup created before the infection. It is also recommended that victims never enter personal data on websites if there is any doubt about the authenticity of the contact.

