The FluBot SMS cyber attack continues to evolve

Criminals behind the prolific FluBot SMS-based cyber attack sweeping Australia and the world have flipped their scam on its head – they’re now telling potential victims they need to install a ‘security update’ to remove an existing FluBot infection. The ‘security update’ actually contains FluBot.
Darren Pauli · 15 October 2021 · 5 minute read

The latest trick showcases the criminals’ willingness to experiment with new scams (known as a pretext) in a bid to increase infections as news of the cyber attacks spread.

We warned of FluBot in August as reports of strange, often garbled “missed call” messages began to hit people’s SMS inboxes.

FluBot is malware – like a computer virus – that can be installed on your Android device if you click on a malicious link in a SMS message. This malware then sends many similar text messages to other people from your phone without your knowledge, potentially infecting them.

The malware requests high levels of access to a victim’s phone in order to steal data and proliferate to other devices. Modern Android phones will provide owners with warnings about the access an app is requesting, but this may be of little protection to those who believe they are installing a legitimate app.

The scam is thought to have begun in Italy before spreading around Europe and then coming to Australia. The attacks are independent of carriers and can potentially affect everyone.

Currently, the FluBot “bait” messages you’re likely to receive suggest you have an unchecked voicemail as a way to get you to click the link. The message content can change, however, as we’ve seen from the messages claiming to help with an existing Flubot infection.

It has also in recent weeks claimed the recipient has missed a parcel and that Australia Post deliveries have been stalled amid the Covid-19 pandemic.

If you click on the link, the FluBot malware authors will attempt to trick you into installing the virus by deactivating some security settings on your device. FluBot webpages you click may ask you to allow the installation of “unknown apps”, which is restricted by default to stop malware like FluBot.

Android devices typically don’t allow unknown apps (that is, apps not from the Google Play Store) to be installed by default. FluBot cannot be installed if the installation of unknown apps is left as its default setting of denied. We strongly recommend you leave this setting as denied.

FluBot also cannot, to date, be installed on iOS devices like iPhones and iPads.

Infected Android phones should be factory reset after important data like photos and phone contacts are backed up. Make sure you restore from a backup that was taken before you were infected with FluBot, otherwise you may risk reinfecting yourself.

If you don’t regularly back up your device, now is the time to start!

The evolution of the FluBot scam reinforces our continued message that the public is best placed to beat scams by being sceptical of all unexpected communications, regardless of the message, the sender, and the medium on which it was sent – be it email, SMS, chat message, or a phone call.

Telstra and our industry peers are continually examining ways to combat sophisticated threats such as Flubot.

You can report a scam to Telstra using our website. If you want to learn more, we also have more cyber safety advice on our website.

How you can tell if you are infected with FluBot

If you have clicked one of these links, you may be infected with FluBot already. The malware sits on your phone and intercepts passwords and other login details, while simultaneously sending out messages to your contacts to encourage them to install it too.

You can tell if you have FluBot in a few ways. Your phone may warn you it is sending a large number of text messages, and you are also likely to receive SMS messages from mobile numbers that have received FluBot links sent from your device. Customers of Telstra will also receive a message from us warning of a likely FluBot infection.

Finally, you may notice an app called ‘Voicemail’ bearing an icon of a blue cassette in a yellow envelope on your device. Please bear in mind the name and icon of this app could change anytime.

What we’re doing about it

Connected technologies increasingly sit at the very heart of the lives of most Australians. But as we move more rapidly to a digital economy, we need to be more and more cognisant of the growing cyber risks and those who seek to do us harm online.

We get that scams like FluBot are annoying, and we’re working to make the internet a safer place for our customers through our Cleaner Pipes initiative.

Cleaner Pipes includes a range of existing work designed to help keep our users safe from malicious activity online. We also recently announced we’re blocking around 13 million scam calls, on average, from being delivered every month.

Alongside Cleaner Pipes, we’re actively working to help people who have inadvertently been infected with FluBot. We identify compromised users based on the distinctive nature of the FluBot malware and notify those affected as to how they can fix their infected devices.

For even more online protection when you’re out and about, our Device Security product helps safeguard your mobile, tablet or laptop, keeping users from falling foul of scammers that want to do you harm.

Topics

By Darren Pauli

Cyber Security Expert

Darren is an information security reporter with more than a decade's experience in the beat. He came to Telstra's cyber security unit after serving as an infosec correspondent for various tech-focused publications. You'll find Darren in his spare time pursuing all things fitness and breaking things on his motorbike and around the house.

Related articles