FluBot is a sophisticated Android banking trojan that spreads via SMS phishing, enticing users to click on malicious links. FluBot first emerged in late 2020 and focuses on stealing sensitive information, particularly banking credentials and personal data. FluBot is an aggressive variant of Cabassous. Attackers employing the FluBot trojan target users with fraudulent messages and notifications indicating they had missed a package. These messages contain a link to a page that requests users install malware disguised as what appears to be a legitimate delivery app.
This trojan shares much of the functionality of TeaBot. The main change is adding a way to reply directly to push notifications. With this capability, FluBot can intercept an incoming notification, forward it to the attacker’s server, and return a manipulated notification to the victim. Discovered in April 2021, this trojan has targeted 17 banking apps. Victims from Austria, Australia, Germany, Poland, and Spain have had devices compromised.
In addition to its shared features, FluBot comes packaged with other novel capabilities:
- The malware sends statistics to the server about the notifications received every minute.
- Attackers introduced Direct Reply to push notification feature, which can intercept the notification messages, send them to the server, and display the manipulated notification to the users.
Threats Posed by FluBot to Mobile Banking Apps
- Data Theft: FluBot is designed to steal sensitive information from the user’s device. This theft includes login credentials for banking apps, credit card information, and personal identification details.
- Keylogging: The trojan can capture keystrokes, recording everything the user types on their device. This information includes usernames, passwords, PINs, and other sensitive data entered into mobile banking apps.
- SMS Intercept: FluBot can intercept SMS messages on the infected device. Intercepted messages could include one-time passwords (OTPs) and transaction verification codes sent by mobile banking apps, potentially allowing attackers to bypass two-factor authentication.
- Overlay Attacks: FluBot can employ overlay attacks, displaying fake login screens that mimic legitimate mobile banking apps. Users may unwittingly enter their credentials into these deceptive interfaces, which are then captured by the trojan.
- Device Information Theft: FluBot can gather device-specific information, such as device identifiers, phone numbers, and operating system details. This information may be used for tracking and profiling users.
- Remote Control: The trojan connects to the attackers’ command and control (C2) server. This connection enables remote control of the infected device, allowing attackers to execute various commands, including unauthorized transactions.
Mitigating the Threat of FluBot
To protect your mobile banking app and its users from the FluBot banking trojan and similar threats, consider implementing the following security measures:
- Regular Updates: Keep your mobile banking app and its dependencies up-to-date with the latest security patches and enhancements to address known vulnerabilities.
- User Education: Educate users about the importance of downloading the official app from trusted sources, avoiding suspicious links or downloads, and being cautious with app permissions.
- Multi-factor Authentication (MFA): Encourage users to enable MFA for their accounts to add an extra layer of security.
- Real-time Monitoring: Implement real-time monitoring to detect and respond to suspicious activities within your app and network traffic.
- Secure Coding: Follow secure coding practices to prevent vulnerabilities in your app’s code, including input validation, data encryption, and secure API communication.
- Third-party Library Review: Carefully review and vet third-party libraries or components used in your app for potential security risks.
- Collaborate with Security Experts: Work with cybersecurity experts to conduct security assessments, code reviews, and penetration testing to identify and address your app’s security weaknesses.
- Incident Response Plan: Develop an incident response plan to respond to security incidents or breaches effectively.
By taking these precautions, you can help safeguard your mobile banking app and protect your users from the threats posed by the FluBot banking trojan and other evolving malware.
Learn More about Banking Trojan Families
FluBot is one of the principal families of banking trojans threatening mobile banking and financial apps. Learn more about other prominent banking trojan families:
- Medusa Trojan
- Cerberus Trojan