Smart & Secure Blog

Flubot Threat Bulletin – Allot blocks over 140M C&C connection attempts

Flubot Threat Bulletin – Allot blocks over 140M C&C connection attempts

Flubot has had a devastating impact on Android users in several European countries over the last few months. The latest Banker Trojan spreads via SMS messages that appeared to be from well-known shipping companies (FedEx, DHL, etc.) to trick users into clicking to download the malicious app onto their mobile device, ostensibly to track a package delivery. Once downloaded, Flubot completely takes over the phone, hiding from antivirus detection and removal, gathering and exfiltrating personal banking data, and propagating itself further by sending out the SMS to the phone’s contacts. The cybercriminals behind the attack use stolen banking and browsing history data to identify which e-commerce sites or banking/payment apps the phone’s owner habitually uses, so that the next time they try to login to their account the Flubot command & control server reroutes them to a targeted overlay that looks identical and steals login credentials.

From March to May 2021 Allot Secure prevented Flubot Banker Trojan from connecting to its command & control server 144,888,798 times.

Flubot Steals Money

Flubot is a Banker Trojan. A Trojan, named after the Trojan Horse of Greek mythology, is a type of malware that disguises itself as legitimate software, in this case delivery tracking software, to sneak its way onto your device and gain access to the system. A Banker Trojan steals money by intercepting sensitive personal information and credentials for accessing ecommerce or online banking/payment accounts.

Parcel Delivery SMS Tricks People into Downloading Flubot App

This Banker Trojan uses social engineering to spam mobile subscribers with a simple SMS message that appears to be from a large, well-known shipping service such as FedEx, DHL, Amazon, Correos (Spain), etc. The familiar-looking message states a package is on its way and instructs you to download the branded company app to track the delivery. This is such a common activity, especially since the Covid-19 crisis has boomed the delivery industry. Once the user clicks on the innocent-looking link, the malicious app is installed. Everything about the download and installation process precisely mimics the real company’s real app. Flubot can then access the phone’s contacts to send SMS messages to more victims. Flubot targets Android users with a malicious Android app, but this time even iOS users are not spared. If an iPhone user receives the SMS and clicks on the link, the device is recognized as iOS and redirected to a regular web-based phishing page. Flubot can also be spread to PCs via an email message with a download or phishing link.

Flubot fake SMS

URLs Recently Used by Flubot Banker Trojan

The recent campaign used dozens of different URLs, with localized content for each target market hit. Some URLs are purely malicious, others are of real legitimate organizations that have been hacked and used to host the Banker Trojan without the permission or knowledge of the website owner.

Flubot Banker Trojan URLs

Evading Antivirus Detection

Once installed, Flubot makes itself undetectable by modifying the registry. It also blocks access to the Google Play Store so that the user is unable to download new antivirus applications. This means that not only is it almost impossible to protect yourself from infection, but even once you realize your device is infected, it is very difficult to remove. Advanced users can follow the removal instructions in this video. Most users will need to do a factory reset, which wipes clean all the apps and information on the phone. Android Factory Reset instructions

Reconnaissance, Data Exfiltration, and Banking Overlay

Like the name suggests, once inside a Banker Trojan quickly begins gathering reconnaissance for its ultimate mission – stealing money. When the malware is installed in the terminal, it uses the banking/payment app’s internal name to detect the moment it is opened. Next, it sends this information to the C&C server, which then sends the matching overlay that identically mimics that app’s login page to intercept account login details. Once this stage is complete, the criminals can begin emptying funds from the account or making malicious purchases.

Internal App Identifiers to Create Overlay Flubot

Want to learn how CSPs can gain double-digit growth and substantial revenues, by delivering cybersecurity to consumers the right way? Join on-demand webinar:

2020 Cyber Threat Report: What Poses the Greatest Danger to Your Subscribers?

Protect Subscribers with Allot Secure

Allot Secure allows CSPs to protect their subscribers from all types of cyberthreats by offering security as a service (SECaaS) from the network. Up-to-date threat intelligence and in-line anti-virus scanning protects users from connecting to C&C servers, malicious browser trackers, and all types of malware, banking Trojans, crypto jacking, ransomware, and IoT specific attacks such as Mirai and its variants.
Allot Secure unifies network-based security, home and business gateway security and security clients into the CSP’s own branded security service. It delivers a seamless customer experience through a single interface for policy setting, reporting, and event handling.

To learn more about how service providers can increase customer satisfaction, NPS and ARPU by offering Allot Network Security Solutions, download the Telco Security Trends Report.

Contact sales

Contact Sales


Discover the best solutions for your organization

You’re all set!

We look forward to meeting with you on Monday, June 28 @ 14:00 EST. The meeting details will be sent to your mail box in a few seconds.

For a deep dive into Allot’s SMB solutions, we’d like to offer you a free copy of our position paper
Security for SMBs: Threats and Opportunities on the Rise.

Magazine Get your e-book »