F5 security researchers have issued a warning about a new enhanced version of the FluBot Android malware, which spreads under the guise of Flash Player. FluBot, a recent SMISHING campaign discovered by CSIRT KNF, targeted Polish users with a message asking them to click on a link to view a video. When recipients click on the link, they are redirected to a page that offers a fake Flash Player APK that instals the FluBot malware on their Android device.

In March, experts from the Swiss security firm PRODAFT estimated that there were approximately 60,000 infected devices worldwide. From infected devices, the Android malware has been used to steal banking credentials, payment information, and sensitive data.

In previous attacks, the malware spread by spamming text messages to contacts from infected phones instructing them to install corrupted apps from servers under the attackers’ control.

The malicious code also asks for permission to access the Android Accessibility service, which was designed to help users with disabilities use Android devices and apps but was abused by threat actors to carry out malicious activities.

Since October 2021, the threat actors behind the Flubot Android malware have been using bogus security updates to trick victims into installing malicious code. The attackers use bogus security warnings about Flubot infections to persuade victims to install security updates.

The FluBot infection chain is represented in the diagram below, with the malicious code spreading through the initial victim’s contact list.

  • The victim was sent an SMS message with a link to a malicious URL.
  • When the victim clicks the link, he or she is prompted to install an app.
  • The victim instals FluBot by downloading and running the malicious app.
  • FluBot obtains access to the victim’s contact list and uploads it to the C2 server.
  • FluBot downloads a new contact list to target.
  • FluBot propagates FluBot by sending SMS messages to the new list of target contacts.

FluBot communicated directly with the server through the use of HTTPS port 443 in version 4.9. The malware in FluBot version 5.0 communicates with the C2 server via DNS Tunneling over HTTPS.

According to F5 ,”A new command, UPDATE ALT SEED, is introduced in version 5.2. It allows attackers to remotely change the DGA (domain generation algorithms) seed. FluBot stores the updated seed in the shared preferences under the “g” key once such a command is issued.”

In version 4.9, FluBot communicated directly with the server using HTTPS port 443. In FluBot version 5.0, the malware communicates with the C2 server through DNS Tunneling over HTTPS.

The new version contains a list of commands, such as:

  • UPDATE_DNS_SERVERS: New in Version 5.0 –
  • NOTIF_INT_TOGGLE – Notification Interception
  • GET_SMS: Propagation Through SMS
  • GET_SMS: Propagation Through SMS, Version 5.2
  • RELOAD_INJECTS: Injections and Overlays
  • UPLOAD_SMS: SMS Logging
  • SMS_INT_TOGGLE: SMS Interception
  • GET_CONTACTS: Contact List Logging
  • Run USSD: Recharge Using Phone Call
  • Disable Battery Optimization
  • Keylogger/Screen Grabber
  • OPEN_URL: Opens a URL on the Device
  • SEND_SMS: Sends SMS Messages on Demand

Finally the researchers concluded that ,”In an attempt to isolate the C2 infrastructure, the feature allows operators to avoid DNS blocklists and also noticed that the new version of the DGA mechanism employs 30 top-level domains as opposed to just three in previous versions.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s