Netcraft’s research into the Android banking malware FluBot confirms that its operations are expanding rapidly, with a spike in the number of malware distribution pages deployed, and finance applications affected in greater numbers.
In recent days new overlays have been distributed that target a number of Polish and German banks, only days after news that FluBot has begun to target Australian banks.
FluBot is distributed in the first instance using text messages, containing links to so-called “lure” pages: web pages unintentionally hosted by compromised web servers, commonly impersonating parcel tracking services, or voicemail notifications. Lure pages attempt to induce visitors to download the malware.
German and Polish banks newly targeted
Financial apps are targeted by FluBot using “overlays”: fake user interfaces which typically impersonate the app’s login form and are presented to users when they open the app. Any credentials a user enters in an overlay are sent to a FluBot Command and Control (C2) server, so Android devices with both the FluBot malware and an affected app installed risk the theft of their account credentials, and all the consequences that entails.
Over the period from 10 to 13 August, attacks on the following German banking apps were discovered: Consorsbank, N26 โ The Mobile Bank, SpardaApp, Sparkasse Ihre mobile Filiale, and VR Banking Classic. These apps have in excess of 20 million users between them.
In addition, on 12 August, FluBot was noted to target these Polish banking apps: Bank Millennium, BNP Paribas GOMobile, Getin Mobile, IKO, mBank PL, Moje ING mobile, plusbank24, Santander mobile. These apps have more than 10 million users in total.
FluBot overlay for SpardaApp
FluBot overlay for the Sparkasse app
Analysis
By analysing the lure sites, we have concluded they are controlled from a command and control (C2) server. The C2 server provides both lure site HTML content, and the FluBot application in .apk
(Android application package) format. Equally, the C2 server can return an empty response or cause a redirect to a benign site; this might be intended to make it harder to detect and act against lure sites.
A lure site impersonating UPS
A lure site impersonating DHL
As of the beginning of August, the number of websites detected to be involved in the distribution of FluBot APK files has increased by an order of magnitude.
Graph showing the number of FluBot lure sites detected each day
Once installed, FluBot invites the user to grant accessibility-related permissions; if given, it proceeds to take over the device, granting additional permissions to itself and protecting itself from being uninstalled.
Reverse-engineering of malware samples and interaction with C2 servers has allowed Netcraft to discover affected applications. FluBot uses a Domain Generation Algorithm (DGA) – an algorithm embedded in the malware that generates a list of possible C2 domains – allowing the active C2 domains to change over time. The DGA is a function of the month and a campaign ID; while previously campaign IDs corresponded with attacks on particular countries, they now appear to be selected at random.
Each C2 domain points to ten different compromised servers, providing another level of security for FluBot’s command and control infrastructure.
Soon after installing the malware, FluBot-infected devices contact a C2 server by executing the DGA, and download overlays for installed applications. Displaying the corresponding overlay after the user launches a targeted app allows the malware to steal user credentials.
A FluBot overlay in action, presenting a fake login form a few seconds after the app starts
Countermeasures
Android users can protect themselves using Netcraft’s Android app, which blocks known FluBot lure sites. Affected institutions are invited to contact Netcraft to discuss countermeasures against FluBot lure sites and C2 infrastructure.