FluBot: Malware as a Service Meets Mobile Phishing

April 27, 2021
Download Case Study


Recently, Europeans were hit by an influx of SMS texts claiming to be package delivery notifications. It turns out these messages were orchestrated by threat actors seeking to distribute malicious apps laced with the banking trojan FluBot, also known as Cabassous. Once the victims download the malware, the app can intercept SMS messages, steal contact information and display screen overlays to trick users into handing over their credentials.

This campaign is the latest example of how attacker are leveraging various mobile-targeting methods to maximize their return. FluBot is a cheap but highly customizable banking trojan. SMS phishing takes advantage of the trust we put on our mobile devices. By fusing the two together, the attackers have created a dangerous apparatus that puts your personal and organizational data at risk.

How is FluBot getting distributed?

It was just recently that I wrote about phishing attacks disguised as WhatsApp and Telegram authentication messages to socially engineer a number of Australian government officials. This is yet another illustration of why mobile phishing is so effective.

In the case of FluBot, it seems that the attackers are taking advantage of the recent Facebook data leakage where over 500 million users’ information were exposed. And what’s unique about the campaign is that it has different kill chains depending on whether the target uses an iOS or Android device. For Android and some iOS victims, they are directed to a website that prompts them to download an app. For other iOS targets, they are shown fake online banking pages to trick them into giving up their credentials.

Malware-as-a-service is on the rise

FluBot is the most recent example of a malware as a service (MaaS) to make the news. Threat actors are business people too and they are always looking for the lowest investment with the highest return. MaaS is perfect for lowering the costs for threat actors because it is inexpensive, easy to set up and highly customizable.

Another prominent MaaS is BancaMarStealer, a banking trojan that Lookout researchers reported on 2018. Similar to Flubot, BancaMarStealer is distributed to both iOS and Android victims using SMS messages. Because it’s older, we have a good understanding of its usage that has been growing exponentially. In 2018, we reported that there were about 7,700 samples. As of March 2021, the number of samples has grown nearly tenfold to more than 74,000.

What makes FluBot more sophisticated than other MaaS is its use of a domain generated algorithm (DGA). This algorithm creates slightly different variations of a given domain name – a technique known as domain fluxing – to hide its command-and-control server IP address among a long list of benign domains. As we’ve seen with BancaMarStealer, MaaS trojans are frequently reused. Since FluBot is even stealthier than BancaMarSteeler, it is very likely that we will see similar growth in FluBot variants.

Mobile phishing and MaaS – a dangerous combination

History has shown us that mobile phishing attacks, while simple, are highly effective. Just look at this widespread campaign Lookout uncovered in 2021 that targeted mobile banking users across North American. These attacks are so effective because mobile devices are now at the center of everything we do, from staying in touch with family and friends to getting package delivery updates and verifying accounts. Combine this with how cheap and easy it is to use MaaS, this is a dangerous combination that can easily put your personal and organizational data at risk.

The first step of mitigating the risk against something like FluBot is educating users on the dangers of mobile-targeting phishing attacks. Your employees need to understand that phishing can come from countless apps, such as SMS texts, social media and dating apps.

They also need to know that telltale signs they’re used on desktop computers don’t exist within the simplified mobile user experience. Because of the smaller screen, you oftentimes can’t see the full URL of the webpage you’re on, you can’t hover over a link to see where it’s taking you, and we’re more likely to overlook small giveaways as we operate so reactively on these devices.

How to protect against the ever-evolving malware threats

Malicious actors often reuse bits and pieces of malware like FluBot to build new malware. This means if the dataset that feeds your security solution only searches for malware by comparing with old samples, they won’t be detected.

To ensure that your organization is completely protected against MaaS, you need a cybersecurity solution that’s cloud-delivered, uses crowdsource data and machine learning. Only with a deep understanding of the artifacts of pre-existing malware can you secure against threats that you’ve never seen before.

Lookout has an integrated platform that is backed by a security graph with telemetry data from millions of devices, apps and web domains. Visit our secure access service edge (SASE) solution page to learn more about how we can secure your organization from endpoint to cloud.

You can try the free consumer Lookout app for iOS or Android, or you can use Lookout for Enterprise for free for 90-days.

Discover how Lookout can protect your data