Flubot Malware Targets Androids With Fake Security Updates and App Installations

Android OS Mobile Networks and Telephones
Advisory ID:
October 19, 2021


A newly discovered Android malware, dubbed FluBot, impersonates Android mobile banking applications to draw fake webview on targeted applications. The malware primarily focuses on stealing credit card details or online banking credentials, apart from personal data.

Description & Consequence

FluBot is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control center. It infects Android devices by posing as FedEx, DHL, Correos, and Chrome applications and forces the unsuspecting user to change the Accessibility settings on the device so as to maintain persistence on the device. It leverages fake login screens of prominent banks. Once the user enters their login details on these phony pages, the data is immediately sent to the malware operator’s control center. Which the malware operators easily exploit. It intercepts all banking-related OTPs by replacing the default SMS app on the targeted device. Thus, it receives access keys sent via SMS. Furthermore, it sends similar SMSes to other contacts, on the target device, to lure them into downloading the fake app.

  1. FluBot attempts to steal your banking and credit card information as well your contact list, which it uploads to a server to continue spreading itself. Once a device has been infected with FluBot it can result in significant financial loss.
  2. The malware creates a backdoor which grants access to the user’s device. This enables the attacker to perform malicious operations and even launch other malware variants.


  1. Do not click on the link if you receive a suspicious text message, and do not install any app or security update the page asks you to.
  2. Use updated antivirus software that detects and prevents malware infections.
  3. Apply critical patches to the system and application.
  4. Use strong passwords and enable 2FA over logins.
  5. Back-up data regularly.  
  6. If you have been affected by this campaign, you should factory reset your device as soon as possible. This will delete any data on your phone, including personal data.
  7. Do not restore from backups created after installing the app. You may contact ngCERT on incident@cert.gov.ng for technical assistance.
  8. You will also need to change the passwords to all of your online accounts, with urgency around your online bank accounts. If you have concerns that your accounts may have been accessed by unauthorised people, contact your bank immediately.


1. https://www.cert.govt.nz/individuals/alerts/flubot-malware-infecting-android-phones/

2. https://cloudsek.com/threatintelligence/flubot-malware-threat-intel-advisory/

3. https://threatpost.com/flubot-malware-targets-androids-with-fake-security-updates/175276/


Related Articles