SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Scam Alert: Flubot malware hits New Zealand

Thu, 30th Sep 2021
FYI, this story is more than a year old

The New Zealand telecommunications sector is warning customers of a new scam text message alert that is showing up in large numbers in New Zealand.

Pretending to be an alert from a courier company, the text asks users to click on a link or download an app to get information about delivery of a parcel.

Telecommunications Forum chief executive Paul Brislen says the link is not genuine and indications are that customers may find their personal details at risk if they do click on the link.

"The payload appears to resend the text via the users address book and also asks for bank information. Needless to say at a time when everyone is using courier delivery services, this has the potential to cause a lot of damage," he says.

Customers who have already downloaded the app may need to restore their phone to basic factory settings in order to remove the malware and then change passwords to any apps you may have been logged in to at the time as a precaution.

"Anyone who receive the text message should just delete it," Brislen says. "Infection only occurs if the user clicks on the link or installs the app."

The TCF and the wider telco industry is working with the Department of Internal Affairs and CERT NZ to block the links to the malware.

Researchers at NortonLifeLock have been tracking FluBot since it first began its spread across Europe in April 2021.

The mobile malware infects and steals data from the phones of unsuspecting victims, which NortonLifeLock says highlights the importance of downloading comprehensive security to help keep devices and data safe.

What is FluBot?

The malware of the moment, grabbing the headlines, is the aptly named FluBot. It's a banking trojan, which means it's designed to appear legitimate to the receiver. It sends SMS messages to unsuspecting targets, claiming that they missed a call or have a new voicemail, on some occasions impersonating well-known institutions, like trusted parcel delivery services or banks. Once someone unsuspectingly clicks on the link, they've unfortunately given FluBot access to their phone and data. Now installed, it will access all the personal information it can gather - passwords, banking information, credit card details and it can even steal the phones contacts details to spread to other phones.

While mostly targeting Android devices, iOS users are not exempt from receiving a malicious FluBot SMS.The good thing: iOS apps can normally only be downloaded via the official Apple App store which makes it much harder for the malware to land on iPhones and iPads. Android users on the other hand need to be more careful as the app will install itself on phones that have enabled side loading, meaning that their owners allow the installation from apps outside of the Google Play store.

How does FluBot work exactly? 

According to NortonLifeLock, the successful spread of this malware can be attributed to its distribution and timing, as a direct result of the impact of the COVID-19 pandemic on people's digital lives.        

The cyber criminals first step is to send a SMS to thousands of mobile devices. It could be an SMS advising that you've received a voicemail, detailing a specific time and date for the missed call and asking you to click the link to access the recording. The other common ruse is to encourage you to click a link so you can apparently see the location of your parcel.

Due to COVID-19, more people than ever are using online shops to buy their goods, so receiving a parcel tracking link appears very plausible.        

The links and SMS are disguised to appear as though they come from a familiar and trusted company. However once clicked, they redirect the victim to a webpage. The webpage is designed to look legitimate to encourage the victim to believe they've been brought to the official company website. A popup prompt will appear and ask the victim to download and install an app. This is a malicious app and can be highly dangerous for your personal data. The disguised app will most likely ask for accessibility permissions, in order to grant itself even more permissions.      

At that point, the malicious app is now active, armed, and running in the background of the victims smartphone.  

It will now start doing the following:                  

  • Spreading further by accessing the phone's contact list                     
  • Gathering all the sensitive information it can get         
     

FluBot has yet another goal - monitoring which apps the victim opens. If it recognises a target app, the malware jumps into action by serving overlays that look like the real thing, but these are designed to collect the victims data. The final step is to send all the collected user details back to the cybercriminals.

What can you do to help protect yourself against FluBot? 

NortonLifeLock says it is worth maintaining good mobile hygiene - keep your devices updated with the latest operating system, use strong passwords combined with multi-factor authentication and of course, use comprehensive security to help keep your devices and data safe.

  • If you are on an Android device, disable Install Unknown Apps.A lot of malicious apps find their way on your phone outside of the official Google Play store, but from unknown sources. While it might be tempting to install the occasional app that you can't find in the official app store, if you're willing to take the risk and trust the source, make sure to disable the feature again afterwards, to reduce any ongoing security risk. 
  • Never open links that seem suspicious. Check to make sure that the mail is really from the sender it claims to be. If it promises things that seem to be too good to be true, they probably are. 
  • Don't grant apps broad permissions, only let them access what they need to function. Avoid any apps that ask for more data than necessary. As can be seen in the FluBot case, broad permissions can lead to the malware being able to perform their unwanted tasks and spread themselves further. 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X