FluBot Android Spyware Spreading Through Fake Delivery Apps

Android mobile phone users across the U.K. are being targeted by text messages containing a spyware called “FluBot,”, according to the country’s National Cyber Security Centre. This variant of the attack is also referred to as Smishing, a combination of “SMS” and “phishing.” 

In the case of phishing, attackers send fraudulent emails that trick recipients into opening a malware-aided attachment or clicking on a malicious link. On the other hand, in the case of Smishing, emails are replaced by text messages. Additionally, Android devices continue to remain the prime target for smishing malware for two reasons, including the growing popularity of Android platforms and the flexibility it offers. 

In a recent tweet, a security researcher shared information about a tracking ID masquerading to be from DHL. When users click on the link, it redirects to a fake DHL page and drops malware in the background. On scanning the dropped app through VirusTotal, it turns out to be a variant of FluBot detected by multiple antivirus signatures, as shown in Figure 1. 

Figure 1 VirusTotal Detections of the App 

For further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the application using the digest from the VirusTotal result.  

Figure 2 Information available in the Cyble Threat Intelligence Platform 

Sample digest used for our analysis:  

74183f6454d2aaa44fcb363eb71beb33f04845c7fe4b402d06a87bab7b99e235 

Technical Analysis: 

Once the application is installed, FluBot obtains all the permissions necessary to access and steal sensitive information such as passwords, online bank details, and other personal data, as well as the ability to spread itself to other devices.  

The available permissions from the application, as retrieved by performing static analysis, are shown in Fig. 3. 

Figure 3 Permissions requested by the app 

Some of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are listed below: 

Permissions: 

  • android.permission.SEND_SMS  
  • android.permission.READ_PHONE_STATE  
  • android.permission.WRITE_SMS  
  • android.permission.CALL_PHONE  
  • android.permission.RECEIVE_SMS  
  • android.permission.INTERNET  
  • android.permission.READ_CONTACTS  
  • android.permission.READ_SMS 
  • android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS 
  • android.permission.QUERY_ALL_PACKAGES 
  • android.permission.REQUEST_DELETE_PACKAGES 
  • android.permission.KILL_BACKGROUND_PROCESSES 
  • android.permission.ACCESS_NETWORK_STATE  
  • android.permission.WAKE_LOCK  
  • android.permission.FOREGROUND_SERVICE 

Services: 

  • com.eg.android.AlipayGphone.MyNotificationListener 
  • com.eg.android.AlipayGphone.ForegroundService 
  • com.eg.android.AlipayGphone.HeadlessSmsSendService 
  • Com.eg.android.AlipayGphone.MyAccessibilityService 

Receivers: 

  • com.eg.android.AlipayGphone.SmsReceiver 
  • Com.eg.android.AlipayGphone.MmsReceiver 

Intent Filters by Action: 

  • android.service.notification.NotificationListenerService 
  • android.intent.action.RESPOND_VIA_MESSAGE 
  • android.accessibilityservice.AccessibilityService 
  • android.intent.action.MAIN 
  • android.intent.action.SEND 
  • android.intent.action.SENDTO 
  • android.provider.Telephony.WAP_PUSH_DELIVER 
  • android.provider.Telephony.SMS_DELIVER 

On analyzing the APK file, it was observed that the application is encrypted through StringFog (XOR encryption technique), which is an Android plug-in tool. It automatically encrypts strings in dex/aar/jar files, adding a haze layer to strings, making it difficult to understand. 

The mechanism behind StringFog is shown below: 

Figure 4 StringFog Mechanism 

Figure 5 StringFog Implementation in the app 

After opening the application, it requests users to enable the accessibility service from the settings to enable full access to the app. After that, it lures victims into changing the Accessibility settings on their phones, forbidding them to uninstall the app. Also, through this service, the app executes screen taps and other commands without the user’s knowledge. 

Figure 6 Pop up Message requesting users to enable Accessibility service. 

The Code presence of the FluBot can be found in one of the classes, namely, “com.e.g. android.AlipayGphone.MyAccessibilityService” which uses the Bind accessibility service permission. This permission is necessary to allow the accessibility service found in the manifest file of the app. However, obfuscation and partially packed content made it difficult to retrieve the content from the class. This class is mainly used for the remote access functionality, along with the spyware’s ability to steal sensitive information by taking control of other applications and killing the processes running in the background. 

Figure 7 Accessibility Service enabled 

The FluBot Android Spyware is rapidly spreading across the world. As per the security guidance issued by the National Cyber Security Centre (NCSC), affected users have been requested to reset their devices and also change their passwords that may have been compromised. 

Safety Recommendations: 

  1. Keep your antivirus software updated to detect and prevent malware infections. 
  1. Keep your system and applications updated. 
  1. Use strong passwords and enable two-factor authentication during logins. 
  1. Verify the privileges and permissions requested by the app before granting access. 
  1. People concerned about the exposure of their stolen credentials in the dark web can register at AmiBreached.com to ascertain their exposure. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic Technique ID Technique Name 
Défense Evasion T1418 T1406 1. Application Discovery 2. Obfuscated Files or Information  
Credential access T1409 1.Access Stored Application Data 
Discovery T1421 T1422 
T1430 T1418 T1426 
1. System Network Connections Discovery 2. System Network Configuration Discovery 3. Location Tracking 4. Application Discovery 5. System Information Discovery 
Collection T1432 T1430 T1507 T1409  1. Access Contact List 2. Location Tracking 3. Network Information Discovery 4. Access Stored Application Data 
Command and Control T1573 T1071 T1571 T1219 1. Encrypted Channel 2. Application Layer Protocol 3. Non-standard Port 4. Remote Access Software 
Impact T1447 T1448 1. Delete Device Data 2. Carrier Billing Fraud 

Indicators of Compromise (IoCs): 

IoC  IoC Type  
74183f6454d2aaa44fcb363eb71beb33f04845c7fe4b402d06a87bab7b99e235 SHA256   
android.accessibilityservice.AccessibilityService Intent by Action 
android.provider.Telephony.WAP_PUSH_DELIVER Intent by Action 
https://wa.me/qr/ Interesting URL 
172.217.23.46 IP address 
/data/user/0/com.eg.android.AlipayGphone/shared_prefs/DHL.xml File path dropped. 

About Cyble 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.

Leave a Comment

Your email address will not be published.

%d bloggers like this: