Android mobile phone users across the U.K. and Europe are being targeted by text messages containing a particularly nasty piece of spyware called “Flubot,” according to the U.K.’s National Cyber Security Centre. And the U.S. could be the next target.
The malware is delivered to targets through SMS texts and prompts them to install a “missed package delivery” app. Instead, it takes victims to a scam website where they download the “app” — which is really just the spyware. Once installed, it then sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information. It also sends out additional text messages to the infected device’s contact list, which allows it to “go viral” — like the flu.
The U.K.’s National Cyber Security Centre (NCSC) has issued security guidance about how to identify and remove FluBot malware, while network providers including Three and Vodafone have also issued warnings to users over the text message attacks.
So far, most of the phishing texts are branded to look like they are being sent from DHL, the NCSC said, but warned, “the scam could change to abuse other company brands.”
One victim posted a message posing as a link from the Royal Mail.
Another user on Twitter spotted this scam “Amazon” message which they point out swaps the “o” for a zero in the link.
⚠️SCAM TEXT ALERT ⚠️
If you receive a text message that looks like the one below:
IGNORE: Do not click any links.
REPORT: Report it by forwarding to 7726.
DELETE: Remove the text from your phone. pic.twitter.com/ailKcmXYh4
— Vodafone UK (@VodafoneUK) April 22, 2021
Anyone who receives what they believe to be a scam text is advised not to click on any links and forward the text to “7726” a “free spam-reporting line” established to combat fraud in the U.K. Finally, delete the message and block the sender.
If a user has already clicked on the link, the NCSC warned not to enter any password or other personal information. To remove the malware from the infected device, “Perform a factory reset as soon as possible,” the NSCS guidance reads. “The process for doing this will vary based on the device manufacturer…Note that if you don’t have backups enabled, you will lose data.”
The NCSC added that if a user has entered their personal information, it’s critical to change those passwords immediately to prevent further compromise.
To prevent future attacks, NSCS said users should back up any important information, only install a minimal number of apps from trusted sources and use available virus protection offered by Google Play and others.
SMS Phishing (‘Smishing’) On the Rise
These types of SMS phishing scams, also known as “smishing,” aren’t anything new. In February, attackers were harvesting personal data of users in the U..K. with fake messages promising tax refunds for overpayment. Mobile phishing has been a booming business since the start of the COVID-19 pandemic, experts say, which they expect will only continue to grow.
Paul Ducklin, researcher at Sophos, explained why smishing is becoming such a popular choice for threat actors in discussing the February campaign.
“SMSes are limited to 160 characters, including any web links,” Ducklin said. “So there’s much less room for crooks to make spelling and grammatical errors, and they don’t need to bother with all the formalized cultural pleasantries (such as ‘Dear Your Actual Name’) that you’d expect in an email.”
Ducklin also pointed out the small mobile screen makes it harder for users to detect a scam, adding “once you’ve tapped on the link and the browser window has filled the screen, it’s harder to spot that you are on an imposter site.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!