This summer we met the FluBot malware, a type of banking Trojan virus that began to appear more strongly and whose ‘modus operandi’ was that it came disguised as a text message. In this way you could receive an SMS that warned you of an update in a delivery of a package that had been lost, and that contained a link designed to steal data, money and infect your mobile. And guess who has come home but not for Christmas …
FluBot is back
According to the digital security expert researcher Sergio de los Santos from Telefónica Tech, there is a new cyberattack campaign that use the same template that the FluBot banking Trojan, the same ‘MO’, using an SMS text message as an initial attack. The attack and infection scheme is as follows, according the blog Protegerse.com:
- You receive an SMS message to your mobile that comes from a smartphone that has already been infected
- That message tells you the following: “We have a new personal voicemail for you! Check it in …”And then you put a link
- The link has a website with a strange name: ‘royals-store’.
- Click on the link and you are redirected to a site where you see a template like the one FluBot He taught you last June, only this time he tries to impersonate no less than Movistar
- The template tells you that you have to download a Movistar app to listen to that voice message, and nothing happens because it is a ‘voicemail app’ (WTF?)
- As expected, if you download and install this application on your mobile, it will be infected by the FluBot Trojan
Malicious actions of the FluBot Trojan on your mobile
- Credential theft used to access online bankinge
- Fraudulent screen overlay impersonating banking apps when the user accesses these
- Interception of SMS sent by banks with verification codes needed to authorize transfers
These actions require “certain permissions that this type of malware usually obtains by asking the user to grant it accessibility permission, which gives the malware practically the necessary control “ to deploy your scam and robbery actions while trying “Get persistence on the infected device and avoid detection by trying to disable any installed security solutions.”
Delete the SMS
The Protegerse.com researcher suggests that the malware present in this SMS message is not FluBot, but “from someone who takes advantage of their propagation methods and templates to spread their own banking Trojan ”. Be that as it may, this once again highlights the fact, concept or rather Axiom of never opening online links from senders we do not know or messages that suddenly arrive from unknown numbers. If you receive it, just delete it.