MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 222: BEWARE OF FLUBOT MALWARE ON ANDROID DEVICES

Reference Number ACG-CSB 101921222

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

               FluBot is a newly discovered Android banking malware family whose presence has been increasingly worrying in the past months. Although it uses many of the tricks found in older malware families, this malware family has made a lot of progress in just a handful of months, infecting many devices, spreading quickly, and inflicting serious damage.

 

            The said malware affects different mobile apps based on the device’s language setting. There have been detections of the malware targeting banking apps mainly in Spain. However, it may move on to other markets such as Poland, Germany, Hungary and the UK. Besides, targeting mobile banking apps, FluBot has its sights on cryptocurrency-related mobile apps as well regardless of the device’s language setting.

 

            Once the malware application installed and opened, it asks the victim to enable its accompanying accessibility service. Upon granted, the malware allows itself several permissions by abusing the accessibility service and starts trying to connect to a server. Interestingly, there is no server or domain name hardcoded in the application, the malware dynamically generates domain names which then attempts to resolve. It may take a few tries until it manages to find a resolvable domain name, after which the real communication begins.

 

            After establishing a connection to the attacker’s server, the malware send a list of installed applications to the server then responds with a list of applications it wants to target. This leads the malware to retrieve injects which are then shown on top of the targeted applications.

 

            Mobile malware is an ever-evolving threat that requires constant monitoring. With quickly evolving malware variants such as FluBot, it’s important to have an up-to-date database of threats at your disposal to be able to effectively protect your users against becoming the victims of these attacks.

 

RECOMMENDATION

 

All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of FLUBOT MALWARE:

 

  • Software should be downloaded from legitimate sources (e.g., official pages or platforms). It is never safe to use unofficial pages or other sources for downloading files or applications.
  • Irrelevant email messages that contain attachments or website links should not be trusted, especially if they are received from an unknown sender. Cybercriminals often use emails of this kind to deliver malware, (they encourage users to open the attachment or click on a provided link).
  • Installed programs must be updated and activated using tools provided by their official developers. Unofficial third-party tools are often malicious. Moreover, it is illegal to bypass activation of any licensed software using 'cracking' tools or pirated software.
  • Additionally, your device should have reputable antivirus or anti-spyware software installed to scan the device regularly.

 

For additional information, please refer to the following websites:

  • https://www.pcrisk.com/removal-guides/20475-flubot-malware-android
  • https://www.threatmark.com/flubot-banking-malware/

 

 

POINT OF CONTACT

 

            Please contact PCPT MARK GERALD A NORBE Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 723 0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.