Dr. Security gives tips and answers questions related to cybersecurity. This time it’s about not falling victim to the SMS Trojan Flu Bot virus.
Question
Dear Dr. Security,
I recently read about the Trojan FluBot, an SMS virus, and how it can attack my smartphone. I have an Android phone but my wife uses iOS. We both use mobile banking, payment services, email, and more on our mobiles. We heard that this SMS virus can attack and steal all our payment and email information. Is this a real threat, and what should I do?
(Uwe, Zurich)
Answer
The Android Trojan FluBot is now targeting Swiss mobile users. This bot sends massive amounts of spam SMS to local mobile phone numbers. The text message indicates that there is a new voice message to listen to. The user is encouraged to click on a link in the SMS to listen to their voice mailbox.
On the website, which looks like that of a mobile phone provider, users are prompted to install a new voicemail app (a Voicemail.apk file). As a result, the user ends up unintentionally installing the Trojan FluBot.
The Trojan FluBot has been around since the end of 2020, infecting thousands and millions of devices across Europe. Now it has vigorously entered Switzerland.
Android phones are directly at risk
Although Android blocks the installation of apps from unknown sources, it is possible to bypass this protective measure manually. The reason for this possibility is to allow the user to be able to install apps from alternative or trustworthy sources. However, this feature becomes a “bug”: cybercriminals take advantage of it to make their victims install the malicious App. Where the users are led to believe that they have downloaded a new voicemail app from the website of their cellular network provider, they are actually installing a dangerous e-banking Trojan virus. However, there is no need to panic. As long as you stick to the official app sites from Google, Huawei, Samsung, or other trustworthy providers, you will not risk catching the e-banking Trojan virus.
The Trojan FluBot targets banking and payment information
Once installed, the Trojan FluBot reads the contacts in the address book, intercepts SMS messages, extracts credit or banking details, and any other private or sensitive information. This includes any data or information you have on platforms/apps such as Binance, Coinbase, Blockchain.com, wallet, banking, and Gmail.
The next time the users open any of these apps, the Trojan FluBot can impose a fake, but convincing, overlay window over the original application. As the users type their credentials, the Trojan FluBot steals the information and begins to make massive transactions on behalf of the victims.
iOS users should still be cautious
As the malware cannot be installed on iOS devices, the link instead forwards the user to fraudulent phishing and advertisement websites. Here users might be caught by suspicious investment opportunities, subscription traps, or other ways that encourage the user to disclose personal or sensitive information.
Smartphones enable the Trojan FluBot to spread rapidly
By taking control of the Contact Book on your phone, the Trojan FluBot sends massive amounts of SMS to other potential victims at the expense of the user. This includes sending SMS to expensive destinations or paid premium numbers.
Recipients think it is a friend or contact, sending the messages, when in fact it is the cybercriminal in disguise. As some SMS messages even contain a personal salutation, the new victims are therefore more likely to fall for the scam. As a result, the virus spreads quickly as the risk of other devices being infected increases.
The sophisticated design of the Trojan FluBot makes it difficult for mobile network providers to block its spread. However, when a spam SMS is reported IT security teams can effectively block access to the identified malicious websites. Similarly, Google is warned of the spam SMS and the malicious websites associated with it.
How do cybercriminals have my number?
There are two main ways that cybercriminals obtain your phone numbers.
First, mobile phone numbers and other data, such as names and home addresses, can be found in data leaks from services or platforms where you have your data stored (e.g., Facebook, LinkedIn, e-commerce platforms, etc.). Data that is leaked is often sold on the dark web where cybercriminals can purchase information to help them perform malicious fraud. As a rule of thumb, you can better secure your accounts by ensuring you enable two-factor or multi-factor authentication and keep strong passwords.
Second, cybercriminals could be randomly generating millions of Swiss mobile phone numbers and testing them in a mass fraud attempt. Unfortunately, there is no way for you to prevent this, except for being cautious about clicking on links that you receive via SMS or other messaging platforms and avoiding falling into phishing scams.
What to do if you receive the spam SMS
- Do not click the link in the SMS.
- Do not download any apps to your mobile phone.
- Delete or ignore the SMS.
- If possible, report it to the National Cybersecurity Center (NCSC). The registration form can be found on the NCSC website.
How do I know if my mobile phone is infected?
- If your mobile phone is infected, the cybercriminal sends massive amounts of SMS from your mobile phone to your contact list but also random mobile numbers in Switzerland and even abroad. This means that new victims think they are receiving an SMS from you, when in fact it is the cybercriminal in disguise.
- Annoyed recipients will start to contact you.
- People you do not know will begin receiving SMS and calls from you.
- Your mobile phone starts to heat up unexpectedly and quickly.
5 steps to take if you are a victim of the Trojan FluBot
- Reset your phone to factory settings
- Inform your mobile provider
- Block your credit card and order a new one
- From another device, change your access details for the cryptocurrency payment services you use
- From another device, change your login details for any mail accounts you have
Best, your Doc
I am happy to answer your questions, so do not hesitate to write to the Doctor at: doctor@futurae.com.