Resurgent FluBot malware targets German and Polish banks
In recent days new overlays have been distributed that target a number of Polish and German banks, only days after news that FluBot has begun to target
FluBot is distributed in the first instance using text messages, containing links to so-called “lure” pages: web pages unintentionally hosted by compromised web servers, commonly impersonating parcel tracking services, or voicemail notifications. Lure pages attempt to induce visitors to download the malware.
German and Polish banks newly targeted
Financial apps are targeted by FluBot using “overlays”: fake user interfaces which typically impersonate the app’s login form and are presented to users when they open the app. Any credentials a user enters in an overlay are sent to a FluBot Command and Control (C2) server, so Android devices with both the FluBot malware and an affected app installed risk the theft of their account credentials, and all the consequences that entails.
Over the period from 10 to 13 August, attacks on the following German banking apps were discovered:
In addition, on 12 August, FluBot was noted to target these Polish banking apps:
By analysing the lure sites, we have concluded they are controlled from a command and control (C2) server. The C2 server provides both lure site HTML content, and the FluBot application in
.apk (Android application package) format. Equally, the C2 server can return an empty response or cause a redirect to a benign site; this might be intended to make it harder to detect and act against lure sites.
As of the beginning of August, the number of websites detected to be involved in the distribution of FluBot APK files has increased by an order of magnitude.
Once installed, FluBot invites the user to grant accessibility-related permissions; if given, it proceeds to take over the device, granting additional permissions to itself and protecting itself from being uninstalled.
Reverse-engineering of malware samples and interaction with C2 servers has allowed Netcraft to discover affected applications. FluBot uses a
Each C2 domain points to ten different compromised servers, providing another level of security for FluBot’s command and control infrastructure.
Soon after installing the malware, FluBot-infected devices contact a C2 server by executing the DGA, and download overlays for installed applications. Displaying the corresponding overlay after the user launches a targeted app allows the malware to steal user credentials.
Android users can protect themselves using