Australians have been urged to stay alert against a dangerous scam targeting mobile users with a goal of stealing their information.
Recent research from cybersecurity firm Avast found that mobile users in several countries have received text messages purportedly from a delivery company. Victims are then asked to download a ‘tracking app’ to track the status of a package.
However, the app is instead used to steal victims’ credentials and personal data.
Worldwide, the phishing SMS and related app dubbed FluBot have already infected 60,000 devices. And as of early March, Avast suspects 11 million phone numbers have been collected by the attackers.
“The first FluBot attacks have been reported weeks ago, and we still see tens of new sample versions evolving every day,” said Ondrej David, malware analysis team leader at Avast.
“At the moment, primary targets of the attacker’s campaign are Spain, Italy, Germany, Hungary, Poland and the UK. But there is some potential that the scope of operation may be extended to target other countries in the near future.”
He said security solutions can block the attacks, but the swift success of the scam campaign shows that it has so far been very successful.
“We urge people to be very careful with any incoming SMS they receive, especially referring to delivery services.”
What type of scam is it?
FluBot is an SMS-based malware campaign. It works by asking victims to download a tracking app from within the text.
However, the app itself is malware that will steal victims’ details and upload them to a remote server.
Then, that information is used to target further attacks and malicious SMS messages.
Why is this one so bad?
This particular FluBot app uses an Android component called Accessibility to monitor what’s happening on someone’s device. It also allows it to control the device.
This means that it can show window overlays, or essentially show something over other things currently on the screen.
For example, a fake banking portal could be shown over a legitimate banking app activity. Then, when a user enters their credential on the fake banking portal, their details can be stolen.
The Android component also makes it harder for victims to remove the malware from their devices.
“What makes this malware particularly successful is that it disguises itself as postal/parcel delivery services, using text along the lines of ‘Your parcel is arriving, download the app to track’ or ‘You missed your parcel delivery, download the app to track’, to which a lot of unsuspecting users would easily fall victim,” David said.
“This is especially the case in the current situation where some form of home delivery has become the standard mode of operation for many businesses during the pandemic.”
How to protect yourself
Avast said the first step is to install an antivirus solution. If you think you’ve already been affected by a scam like FluBot, you can run the antivirus software to identify it.
If you find that you have been infected, Avast said the best step is to reboot your device to safe mode before uninstalling the application.
More generally, it’s critical that Australians avoid clicking links in SMS messages - particularly those that ask you to install software.
It’s also a good idea to be sceptical about any suspicious text messages.
“Err on the side of caution with any suspicious SMS. If you receive a communication you weren’t expecting, it is always best to call the company yourself using the contact information provided on their legitimate website, to confirm the message received,” Avast said.
“Don’t reply directly to suspicious communication. Always begin a new communication via the company’s official service channels.”
And if something looks too good to be true, it probably is. Any messages telling you that you’ve inherited a large sum, you have a parcel delivery you don’t remember ordering or you’ve won a new iPhone should all be treated with scepticism.
Finally, don’t install apps from anywhere other than the official app stores like the Apple App Store or Google Play.