FluBot Android malware is spreading fast

Posted by & filed under Security News.

A new Android malware called Flubot is spreading in Europe. FluBot steals passwords and login information to your online accounts, personal details, and banking information. The information is used to make payments (or in other words: steal your money), account takeover and online identity theft. FluBot also sends SMS messages to new victims and spreads itself further. All of this is done without the users’ knowledge.  

FluBot has so far been detected mostly in European countries. It’s likely to spread also to the rest of the world if the threat actors behind it aren’t stopped.  

Here’s how FluBot works 

An infected device sends an SMS message that contains a phishing link. The message claims it has been sent by some well-known delivery service, like DHL, UPS, FedEx, Correosor Amazon. 

The message tells there’s a package in delivery and prompts the receiver to install a tracking app to settle the delivery time. Following the provided link, the victim downloadthe malware that is masked using the delivery company’s name and logo. 

Once downloaded, the “tracking app” that actually is FluBot, asks for accessibility permissions. If granted, the malware grants itself more extensive app permissions and becomes a system app. Then it can start its work. 

How to stay safe from FluBot and other mobile malware  

There should be no illusion about this: mobile phones are not immune to online threats. Malware, phishing, unsafe networks, and other threats for mobile phone users also exist. FluBot is just one of the newest threats out there. Here’s a few things you can do to protect your mobile phone and digital life on the go.

1. Use antivirus for mobile devices

Malware targeting mobile devices is getting more common. While official app stores are not likely to spread malware, you can get infection from other sources.

2. Don’t open suspicious links

Check the email address of the sender. Due to the smaller screen space, most mobile email apps show only the name of the sender, not their address. Mobile devices are also used on the go, which makes it easier to fall for phishing scams. Don’t open suspicious links. Remember, no reputable company or authority will ask for personal information through email or SMS.  

3. Avoid shady apps

While there’s no unambiguous way to tell a suspicious app from a genuine app, start by thinking what you use it for. If it’s not necessary, there’s no point in getting it. If it doesn’t work for you, delete it immediately. In case of tracking packages, you can typically do that on the carrier’s website and don’t need a separate app for that. Don’t download apps from unofficial appstores and remember that it’s not a good idea to enable the “Install from Unknown Sources” option. 

4. Don’t give apps unnecessary permissions

Like in FluBot’s case, granting app permissions can enable malware and other suspicious apps to do malicious tasks. It can also lead to data leakage. Always consider what permissions you grant to apps. Why do they need them? 

As an iPhone user, do I have to care about FluBot 

The malware itself isn’t a threat to iPhone users, but the phishing website can still be dangerous. Don’t open any suspicious links and be careful about what personal information you give to online services. The 4 tips provided earlier are useful for iPhone users as well. 


The information contained in this website is for general information purposes only. The information is gathered from F-SECURE, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.