Malware capable of stealing financial data – Flubot

When Flubot hit the UK in May, it was inevitable that it was only a matter of time before it started circulating here.

The Android-focused malware tricks users into downloading software to their phones using a fake text message claiming to be from a delivery company. Within the message was a link that invited recipients to download an app to track their delivery.

Nothing out of the ordinary for many of us who have embraced online shopping since the pandemic hit last year. But the difference between this message and the standard delivery notification was that the fake message invited users to download the app from outside of the Google Play Store. Software packages, called APKs, are actually banking Trojans, and the purpose is to steal your financial data.

In a warning to consumers, regulator ComReg said that once installed, FluBot could make calls, steal passwords and other data, access contact details and distribute malware via SMS, and change settings for accessibility on devices.

That’s a lot to take into account, especially when you realize the cure for Flubot: a full factory reset of your device. This means data lost unless you have a regular backup schedule in place. Even if you’re picky about backups, you’ll need to be careful and make sure you choose a backup before Flubot hits, unless you want to reinstall the malware.

Since Apple devices cannot install apps outside of the App Store, this malware poses more risk to Android devices. But that doesn’t mean that not all Apple users should be on guard.

If you are feeling a little under siege, you are not the only one. Flubot is yet another scam targeting hard-pressed mobile customers, and with all the upheaval the current public health emergency has caused, it’s not clear that consumers will be able to spot the genuine messages of the scams.

The latest scam comes as Irish consumers continue to grapple with the fallout from the HSE hack and an increase in fraudulent calls and texts claiming to be from officials such as the Department of Social Protection. Fraudulent calls claiming to be from the latter appear to be from an Irish number, as do the many text messages that try to trick us into being scammed. For the record, many calls came from numbers with an 083 prefix, with texts coming from 086 and 087 numbers. Others reported communications via landlines and 085 numbers.

So, do networks have a role to play here? It is not as easy as mobile operators being on their guard to prevent spam messages and fraudulent calls from circulating. It is more complicated than it sounds to distinguish the fraudulent activity from the genuine.

That’s not to say that mobile phone companies have no weapons to fight crooks; naturally, they are not too keen to go into detail.

“At Three, we have strong security measures in place to prevent fraudulent messages from reaching our customers. With reports of such fraudulent calls and texts, we will always engage with the appropriate authorities to resolve the issue, ”the mobile network said in a statement. “We are proactively monitoring our network for large spikes in call volumes that could be fraudulent calls and taking action to prevent further calls from being made if necessary. Once reported by our customers, we will immediately block number ranges to avoid further impact on customers. “

Vodafone, meanwhile, has embarked on fraud awareness campaigns in an attempt to prevent its customers from falling into the scams trap.

“At Vodafone, we understand customer concerns about fraudulent calls and texts, and we are actively engaging in cross-industry efforts to prevent and disrupt such instances where possible,” the network said. “We also run fraud awareness campaigns to make sure customers understand the risks that fraudulent SMS messages can pose, and have a dedicated 24-hour support team that helps customers overcome challenges. We advise all of our customers to be vigilant and cautious when clicking on links received in an SMS and to refrain from sharing personal information with a cold caller.

The crooks spreading the fake messages are not necessarily based in Ireland or within the reach of the gardaí. Calls arrive in Ireland on all mobile networks through an interconnection operator, which is an operator that carries traffic between networks. There are a number of operators that transmit these calls from Ireland, and this allows us to send and receive calls to other networks, national or international.

“In the event that spam calls or SMS come from our network, we can deal with it quickly, once detected. When the source of the calls or texts is another operator, here or abroad, we pass the relevant information to them as it is the responsibility of that operator to terminate at the source, which is the case here, ”Three said. “Regarding recent scams, we have contacted several interconnection operators that we have identified on this issue, we have also encouraged operators to engage with the gardaí.”

However, while networks can block numbers where they see a spike in calls, the reality is that that number can then be changed, making it more difficult to completely eradicate the scam.

Even more complicated is the fact that although the numbers may look like Irish phone numbers, they are often spoofed, which means that they are not real numbers at all.

There may be another way to stop these scams in their tracks: zero trust. This would, according to its supporters, stop phishing via bad web addresses before it even starts.

“Flubot malware, once installed, is very sophisticated and very, very nasty,” said Paul Walsh of MetaCert. His business is focused on tackling SMS phishing, where text messages are used to scam consumers. “It’s the worst I’ve seen on mobile. But the delivery is no more sophisticated.

Part of the problem is that while SMS firewalls can help mobile operators in terms of traffic and revenue protection, they are not configured for phishing attacks.

“If you want to protect your home, you don’t think of the fancy techniques a criminal would use once inside your home to open your safe if you leave your front door open or let them in.” in the front. from your home, ”Walsh said. “You don’t let them in through your front door and you don’t have to worry about the sophistication of your safe anymore. ”

The situation, he says, is now becoming urgent. Hackers have now realized how much more effective SMS phishing is than email, and the situation will only get worse, he warns.

He estimates that a deceptive URL served its purpose within three minutes of sending an SMS, allowing attackers to move on to the next. This makes it nearly impossible for mobile operators to retaliate, as a URL flagged as suspicious must be investigated by security providers and classes as unsafe before it can be blocked or removed.

Walsh thinks zero trust for web addresses is the way to go. This is where we assume all links are bad unless verified, which MetaCert’s Zero Trust URL and Web Access Authentication System offers.

The system has 20 billion verified URLs and sophisticated tools that speed up the process. Also, not all existing safe URLs need to be checked, only those most likely to be sent via SMS, such as delivery companies, government sites, postal tracking, etc.

The work is in progress, but Walsh is optimistic.

“We had the solution two years ago for SMS,” Walsh said. “Flubot is what now brings us to the table because the operators who have it on their network are trying to find a solution for it. “

For now, Flubot continues to endanger users in Ireland, and further abroad.

How to avoid scams

* Never give out personal or financial information to cold callers.

* Assume all links are suspicious, even if they appear to be from someone you trust. If a number claiming to be a delivery company sends you a link to track your package, do not use the link. If you are expecting a delivery, visit the company’s official website by typing the secure web address into your browser bar and use the tracking number they sent you in the message to find out where your package is. .

* Do not install apps outside of the official App Store. Flubot accesses your device by persuading users to bypass a security mechanism and allow software installation from an unknown source i.e. outside of the Play Store. that they can trust software downloads outside of the Google Play Store. While you also shouldn’t blindly trust software from the official app store – there have been cases of malware found in “official” apps – it’s much easier for malicious actors to insert software in apps outside of the Play Store and inside.

* Make sure that the Google Play Protect service is activated. To do this, go to the Play Store app on your phone and click on your account name in the top right corner. Select Play Protect and make sure it is turned on. This will scan for harmful apps and report which ones have been detected on your phone.

* If you install FluBot without knowing it, you will need to erase your phone to get rid of it. This means performing a factory reset and losing any data that you did not back up before installing Flubot on your device.

* Since Flubot steals your credentials, all passwords used on your device after installation are at risk. For added security, reset those passwords and if you’re reusing the same credentials on other accounts – a no-no security, by the way – reset them as well. A password manager like NordPass, LastPass, or DashLane will help you create strong and unique passwords for each account you have and store them for you.

Business Today

Get the latest business news and commentaryREGISTER HERE

Previous Double and triple booked supplier schedules overload office staff
Next 'Bitcoin is worthless', says analyst who predicted 2008 financial crisis