/ Scams

How the ‘FluBot’ spyware is getting onto Android devices

Have you heard of ‘FluBot’? The spyware is spreading among Android devices and could steal your passwords. Here’s how it works.

An app known as ‘FluBot’ is being sent to mobile devices in a text message fraudulently posing as being from courier DHL – it says you have a parcel out for delivery and includes a link that invites you to track the delivery by downloading a fake tracking app.

But the app is actually malware/spyware that could steal your passwords.

Spyware is malicious software that can access data on your phone. Sometimes it might trick you into entering sensitive information such as passwords by prompting you with fake login pages. These details can be used to access accounts and target you and your contacts with further scams.

The way spyware is distributed is constantly evolving to use different links, and masking the messages’ origins with different mobile numbers.

Make Which? aware of a scam with our Scams Sharer tool

Tricky to uninstall

A recent FluBot victim, Connor from Birmingham, told us he was expecting a delivery from DHL and decided to download the app to track it as he was worried he might not be at home to receive it. 

Something about the app he downloaded through the link in the text didn’t look right to him, and it didn’t seem to work. But when he tried to uninstall it he couldn’t. After searching online, he discovered he had unknowingly installed spyware.

He planned to deal with it later by resetting his phone, but the following morning he received several notifications from Google warning him that someone had tried to log into his Gmail account from a new device, apparently located in Perth, Australia.

He eventually contacted Samsung, which he said was helpful and reassuring. He was able to back up all the contacts, photos and files on his phone. But he told us it was a pain to set up his phone and banking app logins again from scratch – it took several days for his phone to be back to normal. 

Another victim told us they received the following text message days after browsing a website called Euro Car Parts. They were confused and tempted to click through. This was likely a coincidence, but often this is how these text messages are successful. 

Scammers are including large retailers in the messages that they know use certain couriers. It makes more sense to victims if they expect their ASOS delivery is coming via Hermes, for example.

We made DHL aware of the fraudulent texts but it hasn’t got back to us yet. We’ll publish any response here when it does.

How to protect yourself from FluBot

⚠ Don’t click on any links you receive in text messages, however legitimate they might look. If you’re invited to track a package, or update details in an account, visit the official website and log in that way.

⚠ Keep on top of the latest software updates. They help protect your phone from the latest security threats. If your smartphone or tablet is an older model and no longer supports software updates, it will be more vulnerable to spyware and malware attacks. Consider upgrading if you can. Find out whether your phone might be more at risk.

How to get rid of FluBot

We’ve heard from lots of affected people that it’s impossible to simply uninstall this spyware. A full system reset should work, but you might want to back up your data first so you don’t lose it. However, don’t restore the phone from the backup – do a completely fresh install with a factor reset, then download your apps and files again. It’s a nuisance, but it’s safer. You can also:

Contact your phone manufacturer’s customer support for help. We’ve heard mobile phone manufacturers have been very supportive. They will guide you through removing spyware from your phone completely free of charge. 

Beware of opportunists who claim they can remove spyware for a price – there’s a chance they could also be scammers trying to access your phone.

Change your passwords for your online banking accounts, email and any other sensitive accounts or apps you might have on your phone.

If you’re targeted by nuisance messages and phone calls, consider changing your mobile number. It’s a bit of a hassle but an effective final resort.

Have you been affected by malware/spyware?

Companies shouldn’t be including any links in text communications. All the information should be in the message. But many still do, and it’s confusing for customers and leaves them open to impersonation by fraudsters.

Guide: how to spot a scam

Guide: how to get your money back after a scam

Which? is currently working to advise banks, organisations and retailers on how to safely communicate with customers via text message. 

Have you received this fake message or ended up with spyware on your phone?

Comments

This is another reason to use iPhones. Unlike on Android, third party apps on iPhones cannot access data on the phone except for data stored by the same app developer. Therefore malware on an iPhone can’t do much.

I’ve been trying out some of these text scams on my spare iPhone and quite a few of them go straight through to quite clever phishing sites. So although FluBot cannot affect iPhone users, they may yet be vulnerable to a lot of the other text scams.

Next time you look at an app on a smart phone, have a look at what the app does in addition to its advertised purpose. I recently thought about installing a plant recognition app on my phone. In doing this, I quite literally allow the app to take control of the phone, preventing it from closing down, accessing all the data on it, controlling the camera and video, examining all my contacts and accessing the internet when it feels like it; even locating my position. It is not the only app to do this. Is this the smart phone of the future? Not for me it isn’t.
“Version 3. 4.4 may request access to :
Location – access precise location only in the foreground. Access approximate location only in the foreground.
Storage – read the content of your shared storage. Modify or delete the contents of your shared storage.
Other.
Have full network access.
View network connections.
Prevent the phone from sleeping.
Play, install Referrer API
View Wi Fi connections.
Receive data from internet. “

Vynor, most PC apps get all those permissions by default and users cannot control permissions in that kind of way at all.

But you are also right to worry about the use of software from unknown vendors, especially if it is closed source. With such software, users have to trust that there won’t be any built in spyware. Unfortunately, I keep coming across examples of software behaving badly.

Looks like the BBC has more info:-https://www.bbc.co.uk/news/technology-56859091

Karina says:
13 May 2021

I thought sites starting with https:// were genuine – if malware producers are using https;// it makes it even more difficult to sift the wheat from the chaff as it were.
I am not opening anything on my phone, do not respond or return calls from unknown numbers and keep security up to date

Chris says:
13 May 2021

https means that the connection between you and the website is encrypted, nothing more. It has no bearing on the content or purpose of the website. Unfortunately people who should know better have often misled the public about this.

Morgan says:
15 May 2021

No, all the “https” means s that you have a secure connection – data you send to the website you’re on is unlikely to be intercepted.
To make sure you’re on the official site is slightly more complicated.
First you need to know the official site – Google can help with that, as long as you skip over ads.
Then you compare the things before the first forward slash (not including the one in https://) going backwards.
If the official website is www dot cheesecake dot com, then you first check the site you’re on ends with dot com. You then check up to the next dot (so dot cheesecake.
As long as they match exactly, you’re definitely on the official cheesecake dot com domain. However even then you’re not guaranteed to be safe, if multiple businesses use cheesecake dot com, so keep checking each section until you’re sure.
Sometimes things won’t match, but will make sense – keeping with the cheesecake you might find you’re on buy dot vanilla dot cheesecake dot com. That’s usually going to be fine, as long as there aren’t any extra forward slashes thrown in.

You’ve misunderstood what https is for. Anyone can obtain an https certificate. Some certificates are payable, others are free… but however one stains the certificate they’re not a method of authenticity 👍

Em says:
16 May 2021

@Chris and @Hedgie

An https protocol connection (denoted by a padlock in Chrome / Edge browsers) shows the site is both authentic and also that the data you exchange with that site is secured by encryption.

Authenticity just means you are exactly who you say you are – down to the very last character or punctuation mark in that website address. A certificate used with the https protocol does provide this authenticity. The https website barclays_dot_advance_fee_fraud_dot_com really is who they say they are!

The question is all about which websites you can trust and which you cannot. Technology does not provide an answer for that.

In summary, a padlock does not mean a website can be trusted or is safe to use.

@Which? – please provide more education on this important topic.

Em says:
16 May 2021

If the above all sounds like techno-babble, here is a simple analogy:

Suppose you call your bank by telephone. Someone at the telephone exchange automatically redirects your call to an inauthentic (fake) banking operation. Or they evesdrop on your conversation and steal your data because the conversation is not encrypted (scrambled). That is like basic http – no padlock.

So the telecoms company puts some https-like securities in place to stop telephone exchanges being hacked and voice data being intercepted. Now you can be sure that the telephone number you dial goes through to the correct location and no one else can intercept your data. Your call is “padlocked”.

You have the correct number for your bank. You can now call them with relative confidence.
However, you can still misdial the number of your bank and end up speaking to a Chinese take-away – just like mistyping a web address.

You can even dial the number of your “bank” that someone random person has sent to you, rather than check your bank card for the correct number. The telephone security still does its job; you are speaking to the exact location you have dialed. And no one else can hear what you are saying – to the scammer at the other end of the line. The https-like security doesn’t provide any protection against this.

I wonder if anti-malware software is effective in protecting users against the Flubot spyware but from a link at the end of the introduction: “We [Which?] don’t test mobile security software any more, but when we did both free and paid apps received Best Buy awards. So, you don’t necessarily have to pay to get effective extra protection for your mobile device.

I remember being advised to install antivirus software back in 1992, before my computer was connected to the internet via a dial-up modem, and the risk was picking up a dodgy file from a floppy disk. Of course anti-malware software can usually only offer protection once the problem has been discovered and the software updated.

Thanks for all this useful background and history, but what be more interesting to hear would be how many scammers have been caught and what punishement did they receive. Only adequate punishments, if severe enough, will deter others.

I have been thinking exactly the same thing. There never seems to be any information about what is happening to stop scammers. They must have some kind of bank account. How can the banks not notice masses of activity, what are they doing to sort this out? It’s outrageous that nothing ever seems to happen to stop them.

Press articles report many scammers are old hands at fraud activity. A Register of convicted criminals with their alias names would alert & warn of imminent problems.

Could I ask for clarification? The article mentions vulnerability in “Android devices”, and that FluBot is sent as a text message. My Android devices are tablets, not phones. They can and do receive emails, but can’t receive what I think most people refer to as text messages, as sent to a phone number.

Can I take it that people with tablets don’t need to worry (yet!) about FluBot? We mustn’t be complacent, of course; I’m sure fraudsters will continue to develop their techniques so as to try to catch us out

Meanwhile, many thanks for the article.

Hi EEB, the articles suggest that victims are installing FluBot in response to scam texts (“smishing”), so tablets without built in sim cards and cell phone capabilities should not be receiving any such messages.

I found some further info here:-https://www.technadu.com/android-malware-flubot-appears-unstoppable-now/269705/ and here:-https://www.komando.com/security-privacy/flubot-spyware-delivery-scam/787745/

That said, the scammers might also try to infect machines via scam emails or scam websites, but I have not seen that reported yet.

The BBC article also clarified that the FluBot infection involved the more complicated procedure of an Android APK download and installation (sometimes called a side-load) instead of a regular app installation from the Play Store. So anyone who limits themselves to official Play Store apps may also be immune to this infection.

James Tobin says:
13 May 2021

I’ve had some of these scam phone calls about parcels and HMRC. I just blocked them all and heard no more from them.

I have received the txts supposedly from DHL, not only on my personal phone but also my work phone, I knew I wasnt due a parcel delivery so just blocked the number and deleted the message

If I block a number can I delete it. I was told that if I deleted a blocked number it becomes unblocked my mobile is full of blocked numbers. Please help.

Frankie says:
13 May 2021

Unfortunately not being able to click on links is a disaster for the Covid vaccination programme. I am running a local vaccine programme and we rely on using a programme called accubook to text people and invite them to click on a ink to book their vaccine. If they don’t, it is a huge amount of work for hard pressed staff who have normal NHS GP work to do. These texts have the surgery name at the bottom and are addressed to you . Which- please make it clear that these texts should be used!!

I understand your reasons, Frankie, but some who have clicked on links in fake text messages about vaccination have been scammed and it’s very difficult for the average person to know if the message is genuine. Having received the text message I waited for my letter and booked online with my local vaccination centre.

I believe that the NHS should have directed those who are eligible for vaccination online to use the secure gov.uk website to book vaccination at a vaccination centre or (if there is a valid reason) via their GP surgery. Unfortunately the NHS website is not within gov.uk, leading to the possibility of malicious clones. We must work to reduce the load on the NHS but also to protect us from scams.

I agree with Frankie that an automated system is probably necessary when trying to get so many people vaccinated so quickly. In my experience GP’s offered more convenient locations than the centralised NHS ones and I used the link in the messages to make my bookings. I wonder just how many fell foul of a fraudulent link? Very few comments on the vaccine scam Convo and mostly from regulars with no one taken in. The alarm bells rang in the intro when credit card details were requested.

There’s another way round that! My phone is an old one that makes phone calls and sends texts – no internet access so clicking on a link is not an option – it annoys me that everyone assumes that we ALL have phones that will, however, all you need to do – with internet access of course – is type the link into the browser – I’ve done it twice for my vaccinations with no problems.

STRAW says:
13 May 2021

Why is the responsibility for stopping scammers being put with the end user. Surely this is a world wide issue and needs Government funding and action to prevent it happening and to identify and jail the scammers, All Governments should work with the providers such as Google Face book Instagram banks etc to secure their sites and protect their customers.

At the end of the day, Government can only get funding for fighting scams by taxing end users. Hence, it is most efficient for end users to do what they can and then only require Government to do things that end users cannot.

Liz says:
14 May 2021

You can help get the scammers stopped by creating a new contact (eg, Fraud Reports to Govt) with the number 7726; copying the scam text message; typing the number it came from into a text to 7726, then pasting in the message.
If it is an email, forward it to report@phishing.gov.uk

David Elsworth says:
14 May 2021

Thought this may be of interest??

How to read a URL.

Let’s look at a simple example: google.com

The way to understand this URL is actually to read the portions separated by dots *backwards*:

– .com – This is a top-level domain, the broadest category of search when your browser tries to figure out where this website is. Other top level domains include .gov, .net, and country codes like .uk, .ie, .fr etc. (This means that .uk is a top level domain, and .co.uk and .gov.uk are more specific categories of .uk)
– google.com – The “google” part is a narrower specifier than “com”. This is specific enough to take us to Google’s homepage.

This pattern continues reading backwards. E.g. You might use mail.google.com, which is interpreted as “I’m looking for a commercial site, named “google”, and I want the “mail” portion of that site.

– Start from the last dot, then read backwards.

Now, at this point you might be wondering “What about the ‘/’ ? Where does that come in?” This is where URLs are really illogical. The slash only applies *after* you’ve read all the way backwards through dots. So a URL like drive.google.com/my-file is interpreted as “I want a commercial site, named google, and I want the “drive” portion of that site. I then want the site to do something with the phrase ‘my-file’”

How different websites handle content after the first slash is pretty arbitrary, and isn’t that important when avoiding scammers. Only the stuff before the slash actually determines who you’re sending your information to.

But this is where URLs are confusing. The “logical” way to read them is from the last dot, *backwards*, then go back to any slashes and read them *forwards*

Always check where the dots and slashes are

So to read a URL:
– Find the last dot, before any slashes
– Read backwards through the different parts separated by dots
– Read any parts than come after slashes (but this is less important for avoiding scams)

So, back to the original example, that initially appears to be from gumtree.com. Maybe you read the additional dots as though they were slashes. But in reality:

gumtree.com.items-eu.pw

– .pw is the top-level domain. This site is (probably) based in Palau.
– items-eu is the name of the website. items-eu.pw is the address of main website
– com.items-eu.pw is a subsection of that site
– gumtree.com.items-eu.pw is a further subsection of the site

This is NOT gumtree.com!

People are very used to reading a URL forwards, and treating anything after a .com or a .co.uk as arbitrary, but that’s far from true.

In this case, it doesn’t even matter that the padlock icon is there. All this means is that the scammers have acquired a security certificate for the website items-eu.pw. It DOES NOT verify that this website is from gumtree. Quite the opposite.

Other things to look out for and remember:
– Scam emails for things like HMRC are very common. Often the URL they direct you to will be something like hmrc-tax-rebate.com, with the padlock and everything. This is absolutely a scam. URLs for government services will always look like something.gov.uk, or gov.uk/something, and not gov.uk.something, and the same applies for Google, Amazon and other big companies. Always read backwards from the last dot. Look for other goofs like missing dots.
– All the padlock does is verify that the website came from where the URL says it should, and that there isn’t some other kind of attack going on, like a man-in-the-middle or DNS poisoning. If the URL is not what you expect it to be, the padlock means nothing.
– With that said, remember that spoof URLs aren’t the only way to scam, but they’re the first thing to sanity-check if you’re not sure.
– It is trivial to mimic the look and functionality of any website exactly. Not even to make it look similar, I mean indistinguishable from the original. Anyone with a modern browser can copy code from a legit website and have their own version that looks identical. Just because it doesn’t look like a hack job, doesn’t mean it’s legit.

Stay vigilant, and report scammy activity to Action Fraud.

Thanks David, some good tips there.

I’ve been experimenting with some of the parcel delivery smishing texts on my “tethered goat” iPhone and they do link through to some very realistic websites.

Some of them can even spot and reject made up post codes and card numbers, should one attempt to fill their forms with useless data. And, as a clever finishing touch, completion of the fake ID capture form then redirects victims to the real parcel delivery website.

Thanks David. Very interesting and though complex, sifting through the logic, it shows that there are many points where a minor difference means a lot in terms of the address. The general point I take is that padlocks are not necessarily an indication of a secure site, and though a recognisable company name appears in the address, it’s not always where our mail reply is going to.
What to do about that? Proceed with caution and make sure that your reply goes where you want it to. That means knowing the correct address and matching it with what is on screen. Better still, sending a separate e. mail of your own to your known address.
It is no wonder the scammers are succeeding when it is so easy to dupe and e-mail addresses have so many slashes and full stops in them. How many of us know what they all do? You obviously do, and your post is useful to those who can work through it. The internet is not for the innocent or unwary, and yet we all have access to it. A bit like the electric sockets in the house and what we do to them.

That’s a great explanation, David. I’ve written a piece explaining that too https://www.which.co.uk/news/2020/04/how-to-spot-and-stop-fake-coronavirus-texts-and-emails/

Em says:
16 May 2021

@Kate – I hadn’t seen that before, thank you.

Apart from doing more to educate the public, I would like to see Which? being more pro-active in correcting or taking down Convo comments that provide incomplete or misleading information. I do my best to reply to what I come across when I have time, but my corrections are often much further down the reply thread and have less prominence, since I cannot directly reply to a reply.

Above is a simple case in point where the significance of the https protocol is not fully or clearly explained.

During the height of the vaccination programme there were posts by perhaps well-meaning but misinformed contributors at best, or anti-vaxers at worst, raising false concerns about genuine NHS websites where the public can register for the Covid-19 vaccines.

Paul says:
14 May 2021

I have received numerous of these types of text messages on my iphone. I opened the first one and realised it was a scam, and then deleted all the others as they arrived.

Looking at the texts in the article. It highlights the lack of understanding what a URL is. And some form of education of the masses is needed to be able to read one.

subdomain dot domain dot extension slash path.

People seeing the company name in the path part should really know it’s not the correct domain, hence why more education is needed.

PM says:
15 May 2021

How are we suppose to follow this when even Google send texts with links you have to click in them recently as “better security”. You would think the tech industry itself would address this issue better of urgency and stop making us click links.

I think what Google would say is that rather than not clicking on links, one should rely on effective security software, such as Google safe browsing, to prevent one’s browser from opening malware links.

But that said, it has been reported that links to FluBot do indeed open on Google Android devices.

I expect Google also believe, as I do, that clickable links are an essential tool for ease of use, when making the Internet accessible for all.

Thus, simply telling all folk to never click on links is not a complete solution for this problem.

In general, a good security system should not depend on any single line of defence.

For me, recognising and deleting spam texts and emails is an important line of defence. Another one is never installing any software without researching it first. Similarly, a further one is never giving out my id data if I don’t need to,

I received three texts regarding DHL shipments, but I knew I didn’t order anything so deleted them!!!!!
Thankyou for your help.xx

They’re something missing from this article, though: Android does NOT allow you to install apps “in the wild”.

If one installs an app from the Google Play Store it installs straight away and is it’s scanned regularly for malware.

If one tries to “side load” an app, like doing so via a website you arrived at via a text message, Android either denies it or advises you that you *could* install the app if you turn off protection.

I guess this article sounds more urgent if we leave out “user made a decision to override the phone’s security and shoehorn the app in” 🤔

Thanks Hedgie. The BBC article I linked above did mention those technical aspects, but Which? did not.

Regulars on here often criticise Which? for sensationalising its reporting. I know that the first rule of journalism is “never let the facts get in the way of a good story” but I personally prefer a more objective approach.

Em says:
16 May 2021

@Mods

>>> Are we linking to the reporting tool thingy? <<<

Is "Reporting Tool Thingy" the new name for the Scams Sharer Tool? And are you linking to it:

https://act.which.co.uk/page/77711/data/1?utm_source=conversation&utm_medium=referral&utm_campaign=scams_week_2021