Europol says it disabled FluBot botnet infecting ‘huge’ number of devices

The European Union’s law enforcement agency announced Wednesday that an operation involving 11 countries led to its recent takedown of a fast-spreading mobile malware known as FluBot.

The European Union Agency for Law Enforcement Cooperation, popularly known as Europol, said in a web post that the Android malware has been “spreading aggressively through SMS [text messages], stealing passwords, online banking details and other sensitive information from infected smartphones across the world.”

The malware’s infrastructure was disrupted last month by the Dutch Police, according to Europol, which said the Dutch success at inactivating the malware strain was the culmination of a highly technical investigation involving law enforcement from the U.S., Australia and eight European countries. Europol’s European Cybercrime Centre coordinated the complex interagency probe.

Europol said FluBot first emerged in late 2020 and built momentum in 2021, ultimately compromising what it called a “huge” number of devices worldwide, including via especially significant incidents in Spain and Finland.

FluBot leveraged victims’ text messaging to infect their phones, the Europol announcement said.

While Europol heralded its multi-jurisdictional team’s success in taking out FluBot, history suggests the botnet, or network of infected computers, could live to see another day. Botnets have proven difficult to permanently eradicate in the past.

For example, Microsoft said in October 2020 that it had obtained a court order which allowed it to disable the infrastructure supporting Trickbot, a prolific malware that distributed massive amounts of ransomware in 2020. But threat analysts subsequently said that Trickbot reemerged as attackers succeeded in getting some users to click and install the malware.

Europol said that Android users targeted with FluBot were asked click a link and install an application in order to keep track of a package delivery. In other cases, victims were told to listen to what Europol described as a “fake voice mail message.” Once installed, FluBot would ask for accessibility permissions which hackers then used to “steal banking app credentials or cryptocurrency account details and disable built-in security mechanisms,” Europol said.

The malware “spread like wildfire due to its ability to access an infected smartphone’s contacts,” the Europol post said. The malware was designed to send links to those contacts, which exponentially increased the malware’s reach in what the Europol web post called a “destructive spiral.”

Europol said the investigation is ongoing as it tries to identify the individuals responsible for the global malware campaign.

Europol said that FluBot malware can be difficult to detect since it masquerades as an application.
The agency advised those who fear they have been infected to check whether an app contains the malware by tapping it. If the app doesn’t open, it could be FluBot.

Similarly, Europol said if users try to uninstall an app without success, instead receiving an error message, it could also be a sign that their device has been infected. The agency said users who believe they are infected with the malware should reset the phone to factory settings.