Skip to content

Instantly share code, notes, and snippets.

@linuxct

linuxct/FluBot 3.9. .md Secret

Last active April 15, 2021 15:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save linuxct/e1ee139b728d34bd40ab4345d3754834 to your computer and use it in GitHub Desktop.
Save linuxct/e1ee139b728d34bd40ab4345d3754834 to your computer and use it in GitHub Desktop.
Download ZIP
FluBot 3.9
Raw
FluBot 3.9. .md

What is FluBot

As you know, the “Il tuo pacco sta arrivando” SMS is part of a scam, which asks the user to follow a link to follow a package that is prompt to arrival. This SMS is part of a botnet, with Russian origin, commonly known within the IT Security community as “FluBot” or “Cabassous”.

This is the way it works,

  • The victim will receive an SMS containing a link to “track their package”.
  • If the victim is using an iOS based device, the link will redirect to a survey asking out some of their details to win a prize. No infection will occur in said devices.
  • If the victim is using an Android based device, they will be presented with a package courier-themed page (FedEx, DHL, Posta, Correos), asking them to download the courier’s package tracing application.
  • Upon download, and installation on the device, the user will be prompted with several permission requests, asking them to grant “full control over the device” (explicitly) through an accessibility service, as well as access to their phone’s notifications.
  • If the user agrees to said permissions, the FluBot malware will start collecting and controlling all the device’s SMS, as well as it will read all the data present on the screen at all times.
  • If an infected user attempts to open any banking application the malware currently targets, the malware will close the legitimate banking application and it will show a fake login screen, asking the user for their account login details.
  • If the user logins in the fake bank screen, the data will be transmitted to the threat actors, and they will attempt to transfer as many funds as they can out of the victim’s account. They are able to do this because, since they also control the device’s SMS, they can intercept all bank SMS’s and use the 2-factor authentication codes the bank provides the user this way.
  • Lastly, the malware will attempt to spread by request from the Command & Control server. The way they do this is by both uploading the infected user’s contact agenda to their server, as well as by sending more SMS’s with the “Il tuo pacco sta arrivando” on behalf of the infected user, to people that are not present in their agenda. This way, the recipients of these new SMS’s will see they come from phone numbers they will not know.

History

I have been following the trace for this malware since it started spreading in Spain a couple of months ago. The first wave did hit hard, because it was unexpected by both security researchers and users. I know many of you are able to identify this is a scam right away, because of the odd-looking domain names the links in the SMS has; and so I did at first. I thought not that many people would fall for this scam, but they did (mostly, elders). In Spain, thanks to uploading the infected device’s contact list, the malware authors had access to the future victims names, so they started sending out personalized SMS’s with the victim’s names in them. This would persuade them into downloading the application following the steps. They also translate both the webpages and the virus itself to the language of the country in which they are currently spreading, making it harder to detect, in the eyes of an elder, for example.

Thanks to PRODAFT’s analysis on the malware, it was discovered that back then, the virus had gathered approximately the 25% of Spain’s total mobile phone numbers, thanks to it’s spreading mechanisms.

After Spain, the malware started propagating in Germany, where it had a very little impact, most likely thanks to the fast response from both government institutions, as well as the press and media, quickly instructing the users not to download anything from these SMS.

After Germany, Hungary was next, and the malware did hit there very hard, much more than in Germany. They were not ready for the campaign they had setup targeting their country, so many people happened to have the same fate.

Now, the malware is currently targeting Italy, and there has been some coverage from AGID’s CERT, which can be found here.

Capabilities of the malware

Once installed on the device, and with all of its permissions granted, the FluBot malware is capable of doing the following:

  • The malware will capture all the incoming SMS’s to your device.
  • The malware will capture all the text present in the device’s screen.
  • The malware will capture what application is currently opened in the device, and use this information to show fake login screens, or some sort of data capturing method.
  • The malware will steal your device’s contact list, and upload to their servers.
  • The malware will send SMS on behalf of the infected device’s owner.
  • The malware is able to prevent from being uninstalled from the device (using regular uninstallation methods).
  • The malware will “block” some words from displaying in the screen, like “Flu Bot” (without space, case insensitive). If the word is detected, the malware will close the application showing said text automatically.
  • The malware is able to remain in the background opened at all times, unless the device is restarted into Safe Mode.
  • The malware will replace the device’s SMS application with its own one.
  • The malware is capable of listing the applications installed in the device, and uninstall any of them on behalf of the infected device’s owner.
  • The malware is capable of reading the clipboard contents.

How do I know if I am infected?

On its own, the malware will not be able to steal any kind of information from the device unless the user grants said permissions to it. This means, receiving the SMS does not mean you have become infected. Opening the link and then quickly closing the web browser does not mean you have become infected either. The only way to become infected, is by clicking on the link, installing the application on the device (through an APK that gets downloaded), and then granting the accessibility permission to the courier-themed application.

Are you unsure if you have done the above? Follow this steps in order to determine whether you are infected.

  • Download an application called ML Manager, from Google Play Store. This application will allow you to see all the applications currently installed on the device.
  • Open ML Manager, and go through the list of applications installed in the device. Do you happen to see any which is named “FedEx”, “DHL”, “Posta”, “Correos” or “MRW”? (Example)
    • If yes, then you may have become infected, please follow the removal steps.
    • If no, please continue with the next check.
  • Open the Messages application on your device (the one for sending and receiving SMS’s). Does it have a UI like this?
    • If yes, then you may have become infected, please check the removal steps.
    • If no, then you have not become infected.

How do I remove it after checking that I am infected?

There are several ways to remove this malware, listed by difficulty, from easier to hardest.

  1. By installing a removal tool into your device. Follow the instructions below (in English):
    • Access this page: https://linuxct.github.io/remove/
    • Follow the in-screen steps to choose the appropriate version of the tool. You will need to make use of ML Manager, just like in the detection guide.
    • Install the application that gets downloaded to the device (as any other APK).
    • FluBot will be completely neutralized afterwards. You will now be able to remove the helper tool you installed.
  2. By placing the device in “Secure Mode”. Follow the instructions below:
    • If your device’s brand is Samsung, turn the device off. Press and hold the power button, until you see “Samsung” on the screen, then immediately after, stop pressing the power button and press and hold the Vol- (volume decrease) key until your device starts.
    • If your device’s brand is Huawei, turn the device off. Press and hold Vol+ (volume increase) and Power button at the same time. When you see the menu, select Safe Mode.
    • If your device is none of those brands, follow these generic steps: While the device is on, press and hold the power button. There should be a “Power off” option listed. Press and hold the “Power off” option until you see a “Restart in secure mode” Accept it.prompt
    • After your device is in Secure Mode, proceed to uninstall the application by accessing your device’s Settings, then Applications. It should appear listed as “FedEx”, “DHL”, “Posta”, “Correos” or “MRW”, and it should let you uninstall it without any issue.
  3. By restoring your device to a factory default state. Please consult your device’s manufacturer guide on how to perform a factory reset of the device. The steps in order to perform a complete, factory reset, will vary depending on your device’s manufacturer. Remember to make a full backup of your data, as everything will be lost.
  4. By making use of ADB commands through your PC.
    • Open (and install, if needed) ML Manager in the infected device. Look for the malware in the device, it may be called “FedEx”, “DHL”, “Posta”, “Correos” or “MRW”.
      Below the application name, there will be a string of text which may look something like “com.iqiyi.i18n” or “com.eg.android.AlipayGphone”. This is the package name of the malware. Take note of it, as we will use it later.
    • Download and install in your computer the appropriate debugging drivers for your device. You may check this information within your device’s manufacturer website.
    • Enable your smartphone’s Developer Settings. This option will vary depending on the manufacturer of the device, so please check it with your device’s manufacturer or through the internet.
    • Connect the smartphone with a USB cable to your computer.
    • Open a command prompt (Known as PowerShell, CMD, Terminal) in your PC, and type in the following:
      adb devices
    • Hit enter, and a prompt regarding whether the PC the smartphone is connected to should appear on the device. Tick the “Remember choice” box and accept it.
    • Now enter the following command and press enter. This will open a “shell” in the infected device in order for you to perform the removal operation in it.
      adb shell
    • Now, copy the command below and paste it to your command prompt in your PC. You need to replace “<package name>” with the one you took note of in the steps before.
      pm uninstall <package name>

Last remarks

The current version of FluBot (version 3.9) is capable of detecting the word “FluBot” anywhere on the screen. If you, as a reporter, are willing to mention “FluBot” in an article, please avoid showing it as it is, but with a space between the words Flu and Bot, so “Flu Bot” is okay. You may also reference it in some other ways, such as “the SMS malware”, or “the Il tuo pacco sta arrivando malware”. This way, the malware authors can not block the content from being read on infected devices, and everyone, even infected users, will be able to see the details on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment