[German]The Android banking Trojan Flubot caused major damage to victims on Android systems since 2021. The last major campaign was reported a few days ago. Now Europol seems to have managed to shut down the infrastructure of the Flubot Android Trojan. Whether this will stop the business model is another matter.
Advertising
The Flubot smishing plague
I reported several times about banking trojan Flubot, that infects Android devices. Cybercriminals are targeting smartphone users in Europe with their smishing campaign to spread the Flubot malware to steal personal banking data on mobile phones in Europe. Germany is the most affected of all countries: 37.39% of the attack attempts observed by Bitdefender took place in this country.
The Flubot Trojan was first discovered in its current form in December 2020. In 2021, FluBot gained prominence and compromised a large number of devices worldwide. In addition to Germany, there were probably more significant incidents in Spain and Finland. Europol calls Flubot the fastest spreading mobile malware. The backers spread this Android FluBot malware very aggressively via SMS. The Trojan then stole passwords, online banking data, and other sensitive information from infected smartphones around the world.
In Germany, the criminals used a fake version of DHL's mobile app, the real version of which is very widespread and popular with over a million installations. Flubot's operators spread their malware directly via personalized SMS, so-called "smishing". Then, the malicious version of the DHL mobile app was installed by the duped users via sideloading on Android devices using the sent links.
Europol seizes the infrastructure
Now Europol announces the seizure of the SMS-based FluBot spyware or its associated infrastructure, as reported in the following tweet. Die Europol has published the details in this announcement.
Advertising
In an internationally cooperated law enforcement operation involving 11 countries, the Flubot Android malware – or rather its infrastructure – has been smashed. Already in early May, since the cybergang's infrastructure was successfully disrupted by the Dutch police (Politie), this malware strain was rendered inactive.
The infrastructure disruption operation is the result of a complex investigation involving law enforcement agencies from Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands, and the United States, with Europol's European Cybercrime Centre (EC3) coordinating international activities. The following police agencies were involved in the operation:
- Australia: Australian Federal Police
- Belgium: Federal Police (Federale Politie / Police Fédérale)
- Finland: National Bureau of Investigation (Poliisi)
- Hungary : National Bureau of Investigation (Nemzeti Nyomozó Iroda)
- Ireland: An Garda Síochána
- Romania: Romanian Police (Poliția Română)
- Sweden: Swedish Police Authority (Polisen)
- Switzerland: Federal Office of Police (fedpol)
- Spain: National Police (Policia Nacional)
- Netherlands: National Police (Politie)
- United States: United States Secret Service
It says: Under the leadership of the Netherlands Police, in cooperation with the eleven countries: Australia, Belgium, Finland, Hungary, Ireland, Spain, Switzerland, USA, succeeded in locating and shutting down the infrastructure at the end of May. Investigations are continuing with the aim of identifying the perpetrators. It would be good, of course, if those behind it could be apprehended – because the infrastructure could be rebuilt.
Users who suspect they have this malware on their Android devices should reset them to factory settings – recommend by Europol. Problem is rather to find out if the malware is on the device. That could be determined by a virus scanner app. Europol writes: If you tap on an app and it doesn't open, or if you try to uninstall an app and an error message appears instead, this is an indication of malware, they say.
Advertising