Why FluBot is a major threat for Android users, how to avoid falling victim, and how to get rid of the malware if your device has already been compromised

Android malware known as FluBot is continuing to cause mayhem across some European countries, and there is speculation that the threat actors behind it may decide to target other geographies, including the United States. Here’s why you should be vigilant, how FluBot operates, and how you can remove this Android nasty from your device.

It’s also worth noting that this advice will help you stay safe from other Android malware strains. In recent days, cybercriminals have begun to target Europeans with TeaBot (also known as Anatsa or Toddler), an Android malware family that uses exactly the same technique as FluBot to spread and to lure users into giving up their sensitive data. FluBot and TeaBot are detected by ESET products as variants of the Android/TrojanDropper.Agent family.

How FluBot operates

If a victim is lured by the attacker into the malicious campaign, their entire Android device becomes accessible to the scammer. This includes the potential to steal credit card numbers and access credentials to online banking accounts. To avoid removal, the attacker implements mechanisms to stop the built-in protection offered by the Android OS and stops many third-party security software packages from being installed, an action many users would take to remove malicious software.

The victim first receives an SMS message that impersonates a popular delivery logistics brand, such as FedEx, DHL, and Correos (in Spain). The call to action of the message is for the user to click a link in order to download and install an app that has the same familiar branding as the SMS message but is actually malicious and has the FluBot malware embedded within it. An example of the SMS message (in German) and the subsequent prompt to install the app can be seen below:

Once installed and granted the requested permissions, FluBot unleashes a plethora of functionality, including SMS spamming, the theft of credit card numbers and banking credentials, and spyware. The contact list is exfiltrated from the device and sent to servers under the control of the bad actor, providing them with additional personal information and enabling them to unleash further attacks on other potential victims. SMS messages and notifications from telecom carriers can be intercepted, browser pages can be opened, and overlays to capture credentials can be displayed.

The malicious app also disables Google Play Protect to avoid detection by the operating system’s built-in security. Also, due to the extensive permissions granted, the threat actor is able to block the installation of many third-party antimalware solutions.

How to remove FluBot

A compromised device may need to have the malware removed manually. My colleague, Lukas Stefanko, has produced a short video with helpful instructions on how to remove this and any other malicious app:



If you receive an unknown or unexpected SMS message with a clickable link, refrain from clicking the link and instead remove the message. In the unfortunate scenario that the malware was installed on a device and banking or other activity has taken place since the installation took place, then contact the organizations concerned immediately to block access and where necessary change passwords, remembering to make them unique and strong.

Whether this malware makes it to North America in any significant number or not, the functionality and the devastation already caused in Europe should heighten the call to action for all Android users – to watch out for suspicious messages and to install security software in order to prevent such extremely malicious apps from ever getting on their devices.