The Android malware FluBot has resurfaced again with new features. The banking Trojan is now tricking victims by posing as an Adobe Flash Player and luring users to download malicious software that steals data.
The banking Trojan targeted Polish users via SMS asking them to click on a link to watch a video. Upon clicking on the link, users were redirected to a page offering a fake Flash Player APK that installs the FluBot malware on the Android device.
Once installed, the malware can steal online banking credentials, send or intercept SMS messages (and one-time passwords), and capture screenshots.
The stolen data is then delivered to the malicious actors. As a second step, the malware uses the victims’ device to send new smishing messages to all of their contacts, and it usually spreads like wildfire.
Anyone who receives suspicious texts or links asking them to load the flash player should simply ignore it, do not click any links that have been sent, and delete the messages instantly, researchers from Polish cybersecurity firm CSIRT KNF told while advising users.
The malware was first identified in late 2020, targeting Spanish users. Last year in March, researchers from Swiss security outfit PRODAFT estimated that the number of comprised devices worldwide was approximately 60,000.
Since October 2021, attackers behind the malicious code are leveraging fake security updates to lure victims into installing the malware. The attackers use fake security warnings of Flubot infections and urge them to install the security updates.
With the release of the most recent version 5.2, the DGA (domain generation algorithm) system received much attention from the malware authors, as it’s vital in enabling the actors to operate unobstructed.
“In version 5.2 a new command, UPDATE_ALT_SEED, is introduced. It enables the attackers to change the DGA (domain generation algorithms) seed remotely. Once such a command is dispatched, FluBot stores the updated seed inside the shared preferences under “g” key,” reads the report published by F5 researchers.
The feature allows operators to elude DNS blocklists in an attempt to isolate the C2 infrastructure. In its latest version, FluBot’s DGA uses 30 top-level domains instead of just three used previously and also features a command that allows attackers to change the seed remotely. On the communication side, the new FluBot now connects to the C2 through DNS tunneling over HTTPS, whereas previously in version 4.9, it used direct HTTPS port 443.