Android mobile phone users across the U.K. are being targeted by text messages containing a spyware called “FluBot,”, according to the country’s National Cyber Security Centre. This variant of the attack is also referred to as Smishing, a combination of “SMS” and “phishing.”
In the case of phishing, attackers send fraudulent emails that trick recipients into opening a malware-aided attachment or clicking on a malicious link. On the other hand, in the case of Smishing, emails are replaced by text messages. Additionally, Android devices continue to remain the prime target for smishing malware for two reasons, including the growing popularity of Android platforms and the flexibility it offers.
In a recent tweet, a security researcher shared information about a tracking ID masquerading to be from DHL. When users click on the link, it redirects to a fake DHL page and drops malware in the background. On scanning the dropped app through VirusTotal, it turns out to be a variant of FluBot detected by multiple antivirus signatures, as shown in Figure 1.
Figure 1 VirusTotal Detections of the App
For further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the application using the digest from the VirusTotal result.
Figure 2 Information available in the Cyble Threat Intelligence Platform
Sample digest used for our analysis:
74183f6454d2aaa44fcb363eb71beb33f04845c7fe4b402d06a87bab7b99e235
Technical Analysis:
Once the application is installed, FluBot obtains all the permissions necessary to access and steal sensitive information such as passwords, online bank details, and other personal data, as well as the ability to spread itself to other devices.
The available permissions from the application, as retrieved by performing static analysis, are shown in Fig. 3.
Figure 3 Permissions requested by the app
Some of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are listed below:
Permissions:
- android.permission.SEND_SMS
- android.permission.READ_PHONE_STATE
- android.permission.WRITE_SMS
- android.permission.CALL_PHONE
- android.permission.RECEIVE_SMS
- android.permission.INTERNET
- android.permission.READ_CONTACTS
- android.permission.READ_SMS
- android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
- android.permission.QUERY_ALL_PACKAGES
- android.permission.REQUEST_DELETE_PACKAGES
- android.permission.KILL_BACKGROUND_PROCESSES
- android.permission.ACCESS_NETWORK_STATE
- android.permission.WAKE_LOCK
- android.permission.FOREGROUND_SERVICE
Services:
- com.eg.android.AlipayGphone.MyNotificationListener
- com.eg.android.AlipayGphone.ForegroundService
- com.eg.android.AlipayGphone.HeadlessSmsSendService
- Com.eg.android.AlipayGphone.MyAccessibilityService
Receivers:
- com.eg.android.AlipayGphone.SmsReceiver
- Com.eg.android.AlipayGphone.MmsReceiver
Intent Filters by Action:
- android.service.notification.NotificationListenerService
- android.intent.action.RESPOND_VIA_MESSAGE
- android.accessibilityservice.AccessibilityService
- android.intent.action.MAIN
- android.intent.action.SEND
- android.intent.action.SENDTO
- android.provider.Telephony.WAP_PUSH_DELIVER
- android.provider.Telephony.SMS_DELIVER
On analyzing the APK file, it was observed that the application is encrypted through StringFog (XOR encryption technique), which is an Android plug-in tool. It automatically encrypts strings in dex/aar/jar files, adding a haze layer to strings, making it difficult to understand.
The mechanism behind StringFog is shown below:
Figure 4 StringFog Mechanism
Figure 5 StringFog Implementation in the app
After opening the application, it requests users to enable the accessibility service from the settings to enable full access to the app. After that, it lures victims into changing the Accessibility settings on their phones, forbidding them to uninstall the app. Also, through this service, the app executes screen taps and other commands without the user’s knowledge.
Figure 6 Pop up Message requesting users to enable Accessibility service.
The Code presence of the FluBot can be found in one of the classes, namely, “com.e.g. android.AlipayGphone.MyAccessibilityService” which uses the Bind accessibility service permission. This permission is necessary to allow the accessibility service found in the manifest file of the app. However, obfuscation and partially packed content made it difficult to retrieve the content from the class. This class is mainly used for the remote access functionality, along with the spyware’s ability to steal sensitive information by taking control of other applications and killing the processes running in the background.
Figure 7 Accessibility Service enabled
The FluBot Android Spyware is rapidly spreading across the world. As per the security guidance issued by the National Cyber Security Centre (NCSC), affected users have been requested to reset their devices and also change their passwords that may have been compromised.
Safety Recommendations:
- Keep your antivirus software updated to detect and prevent malware infections.
- Keep your system and applications updated.
- Use strong passwords and enable two-factor authentication during logins.
- Verify the privileges and permissions requested by the app before granting access.
- People concerned about the exposure of their stolen credentials in the dark web can register at AmiBreached.com to ascertain their exposure.
MITRE ATT&CK® Techniques- for Mobile
| Tactic | Technique ID | Technique Name |
| Défense Evasion | T1418 T1406 | 1. Application Discovery 2. Obfuscated Files or Information |
| Credential access | T1409 | 1.Access Stored Application Data |
| Discovery | T1421 T1422 T1430 T1418 T1426 | 1. System Network Connections Discovery 2. System Network Configuration Discovery 3. Location Tracking 4. Application Discovery 5. System Information Discovery |
| Collection | T1432 T1430 T1507 T1409 | 1. Access Contact List 2. Location Tracking 3. Network Information Discovery 4. Access Stored Application Data |
| Command and Control | T1573 T1071 T1571 T1219 | 1. Encrypted Channel 2. Application Layer Protocol 3. Non-standard Port 4. Remote Access Software |
| Impact | T1447 T1448 | 1. Delete Device Data 2. Carrier Billing Fraud |
Indicators of Compromise (IoCs):
| IoC | IoC Type |
| 74183f6454d2aaa44fcb363eb71beb33f04845c7fe4b402d06a87bab7b99e235 | SHA256 |
| android.accessibilityservice.AccessibilityService | Intent by Action |
| android.provider.Telephony.WAP_PUSH_DELIVER | Intent by Action |
| https://wa.me/qr/ | Interesting URL |
| 172.217.23.46 | IP address |
| /data/user/0/com.eg.android.AlipayGphone/shared_prefs/DHL.xml | File path dropped. |
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
