Cyble Research Labs discovered a sample of a FluBot malware variant during a routine threat-hunting exercise. The variant names itself “Android Security Update“, to deceive users into thinking that the malware is genuine. FluBot is a variant of malware that takes control of devices, collects sensitive information, and even sends messages to the victims’ contacts.
To distribute the malware, the software leverages a technique called Smishing (a hybrid of SMS and Phishing) attacks. In the case of phishing, attackers send phony emails that mislead recipients into opening malware-laden attachments or clicking on harmful links. In Smishing, emails are substituted by text messages.
The renowned Flubot Android banking Trojan adopts a wicked trick up its sleeve to target New Zealand (NZ) users. It deceives NZ users into downloading a false “ Android Security Update” app by warning them about… FluBot itself.
The link directs the user to a page that either instructs them to download a package tracking app or informs them that their phones have been infected with FluBot and that they should download anti-FluBot software.
If users follow the link in the text message, they are presented with a bright red screen that states, “Your device is infected with the FluBot malware.” “Android has identified an infection on your smartphone.“
The notification by itself doesn’t infect the user’s device, but if users follow the directions in the message, the malicious program then redirects users to a download page that tricks them into installing it on their device, which later compromises the device.
(Source: cert.govt.nz)
The malware sample was downloaded and thoroughly examined by Cyble Research Labs. We discovered that the FluBot variant spreading through this campaign is version “V4.9,” which has code functionalities identical to “V4.8” and performs suspicious activities like accessing Contact data, SMS data, and device alerts.
Technical Analysis
APK Metadata Information:
The metadata information of the downloaded and analyzed sample is shown in Figure 3.
Manifest Data:
The malware requests multiple dangerous permissions such as SEND_SMS, READ_PHONE_STATE, CALL_PHONE, RECEIVE_SMS, READ_CONTACTS, and READ_SMS. Upon granting these permissions, the malicious app can perform the below activities:
- The application asks the users to turn on the Accessibility service.
- The application asks for complete control of the device.
- The application asks the users to allow access to notifications.
- The application asks the users to allow it to replace the default SMS app – Once it gets this permission, the application can handle SMS data.
- The applications can read contacts from the compromised device and uploads them to its server.
- The application can access incoming and stored messages from the victim’s device. Additionally, it can also send and delete SMS data.
- The application can kill the background process of other apps.
Upon reviewing the application’s code, the application has multiple entry points declared in the manifest file. “com.miniclip.carrom.g” is the application subclass and main entry point of the malicious app, which initially loads upon launching the app.
Upon further inspection, we noticed that MainActivity, MainReceiver, and other classes from the manifest file are missing from the APK file. The malware uses a custom packer to evade signature-based detection.
With the help of this custom packer, the fake app hides these classes inside a DEX file. The DEX file is encrypted and saved in the assets section of the APK.
During the execution phase, the malicious app unpacks and loads the classes from the DEX file. We were able to decrypt the DEX file through reverse engineering. This code is depicted in the diagram below.
Common Functionalities of the FluBot App:
Compared to the earlier versions of FluBot, we observed some of the data collected by the malware app after compromising the victim’s device analysis is as below:
- Code snippet of the app that can read and collect contact data is shown in the below figure.
- The malware can also send text messages as shown below.
- Upon enabling notification access by the user, the malware reads/steals the incoming notifications and cancels them without user interaction or knowledge.
Commands Used by FluBot App:
Generally, FluBot malware performs malicious activities by receiving commands from Command-and-Control servers (C&C). The commands in the sample analyzed by Cyble Research labs are encrypted via custom implementation of XOR and are listed below:
| Commands | Description |
| UNINSTALL_APP | Removes the application by referring to package |
| SMS_INT_TOGGLE | Intercepts SMS |
| SOCKS** | Configures Socks Proxy for redirection |
| BLOCK | Blocks Notification |
| UPLOAD_SMS | Uploads the collected SMS data |
| OPEN_URL | To the Load the WebView page |
| NOTIF_INT_TOGGLE | Intercepts Notification |
| RUN_USSD | To access and perform call-related functions |
| DISABLE_PLAY_PROTECT** | Deactivating Play Protect security for Device |
| RELOAD_INJECTS | To update new overlays in the malware |
| SEND_SMS | Text Messages Sent |
| GET_CONTACTS | Reads and Collects the Contact data |
| RETRY_INJECT | Clear flag value saved in shared preferences |
| INTERCEPTING_NOTIF | Intercepting the incoming notifications |
Table 1 Commands Identified in the Malware sample
DGA Module:
Some of the common features that are highlighted in Table 1(**), are replicated in recently discovered banking trojans.
FluBot is also well known for its Domain Generation Algorithm (DGA), a unique feature not observed in most Banking Trojan malware families.
The address of the C&C server is obtained by FluBot using a Domain Generation Algorithm (DGA).
According to the current year and month, the DGA creates over 2000 domains. With “su,” “ru,” and “cn” Top-Level Domains (TLDs), domains are 15 characters long. The below figure shows the subset of the URLs generated using the DGA.
Through this URL generated by the DGA, the data collected by the malware is exfiltrated through the C&C server. Attackers use the DGA functionality to change the domains being used for malware attacks swiftly.
DGA is implemented here because security software and providers move swiftly to prohibit and takedown malicious domains used by malware.
The malware encrypts the part of the request it sends to the server with the public RSA key, as shown in Figure 11.
Conclusion:
We’ve observed numerous forms of banking malware that perform various operations on victims’ mobile bank accounts over time. This FluBot malware version exploits the user’s device and takes control of the entire device. This enables it to steal passwords, bank details, and other sensitive information from infected devices by abusing the Accessibility Service on an unsuspecting victim’s phone.
Furthermore, the distribution technique for FluBot malware via a Smishing campaign frequently changes its theme. Examples include impersonating a well-known courier firm, a voicemail lure, and, as outlined in the above analysis, impersonating a security program.
Threat Actors continually adapt their approaches to avoid detection and find new ways to target users using sophisticated methods. Malicious software is frequently disguised as legitimate software to trick users into installing it.
Users should be wary of activating the required permissions even in apps distributed through well-known app portals like Google Play Store – since we have observed banking malware increasingly exploiting the Accessibility Service on Android devices.
Our Recommendations:
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app portals such as Google Play Store.
- Ensure that Google Play Protect is enabled on Android devices.
- Users should be careful while enabling any permissions on their devices.
- If you find any suspicious applications on your device, uninstall, or delete them immediately.
- Keep your anti-virus software updated to detect and remove malicious software.
- Use strong passwords and enable two-factor authentication.
Additionally, if New Zealand users come across these fraudulent text messages that are in loops, Cert.govt.nz has offered some tips on its official website. We have also asked users to follow their suggestions and report incidents to the officials via the shared phone number listed on their blog website.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1418 | Application Discovery |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Credential Access/Collection | T1409 | Access Stored Application Data |
| Discovery | T1421 | System Network Connections Discovery |
| Discovery | T1422 | System Network Configuration Discovery |
| Discovery/Collection | T1430 | Location Tracking |
| Discovery | T1426 | System Information Discovery |
| Discovery | T1424 | Process Discovery |
| Collection | T1432 | Access Contact List |
| Collection | T1507 | Network Information Discovery |
| Network Effects | T1449 | Exploit SS7 to Redirect Phone Calls/SMS |
| Impact | T1447 | Delete Device Data |
| Impact | T1448 | Carrier Billing Fraud |
Indicators Of Compromise (IOCs)
| Indicators | Indicator type | Description |
| 6e3499a5e63209b34ccc787a7ea57953ff5436b51ca4325ea0da4a958f44ea7b | SHA256 | Malicious APK |
| c8c0c074c1b5f9a1c0a383b90609cb8c0a0734a5a543af88fafd2b735d54c663 | SHA256 | Malicious APK |
| hxxp://yoquqwxxjttsmuh[.]ru/p.php | URL | Communicating URL |
| hxxp://gsvjcagswqsaosn[.]ru/p.php | URL | Communicating URL |
| hxxp://kkwpifwkkxilltk[.]ru/p.php | URL | Communicating URL |
| hxxp://revgmkegctflpes[.]ru/p.php | URL | Communicating URL |
| hxxp://diekqueqmlpmofa[.]cn/p.php | URL | Communicating URL |
| hxxp://asfnfpfibhtrafy[.]ru/p.php | URL | Communicating URL |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.
