Cyble Research Labs discovered a sample of a FluBot malware variant during a routine threat-hunting exercise. The variant names itself “Android Security Update“, to deceive users into thinking that the malware is genuine. FluBot is a variant of malware that takes control of devices, collects sensitive information, and even sends messages to the victims’ contacts.

To distribute the malware, the software leverages a technique called Smishing (a hybrid of SMS and Phishing) attacks. In the case of phishing, attackers send phony emails that mislead recipients into opening malware-laden attachments or clicking on harmful links. In Smishing, emails are substituted by text messages.

The renowned Flubot Android banking Trojan adopts a wicked trick up its sleeve to target New Zealand (NZ) users. It deceives NZ users into downloading a false “ Android Security Update” app by warning them about… FluBot itself.

The link directs the user to a page that either instructs them to download a package tracking app or informs them that their phones have been infected with FluBot and that they should download anti-FluBot software.

If users follow the link in the text message, they are presented with a bright red screen that states, “Your device is infected with the FluBot malware.” “Android has identified an infection on your smartphone.“

The notification by itself doesn’t infect the user’s device, but if users follow the directions in the message, the malicious program then redirects users to a download page that tricks them into installing it on their device, which later compromises the device.

The malware sample was downloaded and thoroughly examined by Cyble Research Labs. We discovered that the FluBot variant spreading through this campaign is version “V4.9,” which has code functionalities identical to “V4.8” and performs suspicious activities like accessing Contact data, SMS data, and device alerts.

Technical Analysis

APK Metadata Information:

The metadata information of the downloaded and analyzed sample is shown in Figure 3.

Manifest Data:

The malware requests multiple dangerous permissions such as SEND_SMS, READ_PHONE_STATE, CALL_PHONE, RECEIVE_SMS, READ_CONTACTS, and READ_SMS. Upon granting these permissions, the malicious app can perform the below activities:

• The application asks the users to turn on the Accessibility service.
• The application asks for complete control of the device.
• The application asks the users to allow access to notifications.
• The application asks the users to allow it to replace the default SMS app – Once it gets this permission, the application can handle SMS data.
• The applications can read contacts from the compromised device and uploads them to its server.
• The application can access incoming and stored messages from the victim’s device. Additionally, it can also send and delete SMS data.
• The application can kill the background process of other apps.

Upon reviewing the application’s code, the application has multiple entry points declared in the manifest file. “com.miniclip.carrom.g” is the application subclass and main entry point of the malicious app, which initially loads upon launching the app.

Upon further inspection, we noticed that MainActivity, MainReceiver, and other classes from the manifest file are missing from the APK file. The malware uses a custom packer to evade signature-based detection.

With the help of this custom packer, the fake app hides these classes inside a DEX file. The DEX file is encrypted and saved in the assets section of the APK.

During the execution phase, the malicious app unpacks and loads the classes from the DEX file. We were able to decrypt the DEX file through reverse engineering. This code is depicted in the diagram below.

Common Functionalities of the FluBot App:

Compared to the earlier versions of FluBot, we observed some of the data collected by the malware app after compromising the victim’s device analysis is as below:

• Code snippet of the app that can read and collect contact data is shown in the below figure.

• The malware can also send text messages as shown below.

• Upon enabling notification access by the user, the malware reads/steals the incoming notifications and cancels them without user interaction or knowledge.

Commands Used by FluBot App:

Generally, FluBot malware performs malicious activities by receiving commands from Command-and-Control servers (C&C). The commands in the sample analyzed by Cyble Research labs are encrypted via custom implementation of XOR and are listed below:

Commands	Description
UNINSTALL_APP	Removes the application by referring to package
SMS_INT_TOGGLE	Intercepts SMS
SOCKS**	Configures Socks Proxy for redirection
BLOCK	Blocks Notification
UPLOAD_SMS	Uploads the collected SMS data
OPEN_URL	To the Load the WebView page
NOTIF_INT_TOGGLE	Intercepts Notification
RUN_USSD	To access and perform call-related functions
DISABLE_PLAY_PROTECT**	Deactivating Play Protect security for Device
RELOAD_INJECTS	To update new overlays in the malware
SEND_SMS	Text Messages Sent
GET_CONTACTS	Reads and Collects the Contact data
RETRY_INJECT	Clear flag value saved in shared preferences
INTERCEPTING_NOTIF	Intercepting the incoming notifications

Table 1 Commands Identified in the Malware sample

DGA Module:

Some of the common features that are highlighted in Table 1(**), are replicated in recently discovered banking trojans.

FluBot is also well known for its Domain Generation Algorithm (DGA), a unique feature not observed in most Banking Trojan malware families.

The address of the C&C server is obtained by FluBot using a Domain Generation Algorithm (DGA).

According to the current year and month, the DGA creates over 2000 domains. With “su,” “ru,” and “cn” Top-Level Domains (TLDs), domains are 15 characters long. The below figure shows the subset of the URLs generated using the DGA.

Through this URL generated by the DGA, the data collected by the malware is exfiltrated through the C&C server. Attackers use the DGA functionality to change the domains being used for malware attacks swiftly.

DGA is implemented here because security software and providers move swiftly to prohibit and takedown malicious domains used by malware.

The malware encrypts the part of the request it sends to the server with the public RSA key, as shown in Figure 11.

Conclusion:

We’ve observed numerous forms of banking malware that perform various operations on victims’ mobile bank accounts over time. This FluBot malware version exploits the user’s device and takes control of the entire device. This enables it to steal passwords, bank details, and other sensitive information from infected devices by abusing the Accessibility Service on an unsuspecting victim’s phone.

Furthermore, the distribution technique for FluBot malware via a Smishing campaign frequently changes its theme. Examples include impersonating a well-known courier firm, a voicemail lure, and, as outlined in the above analysis, impersonating a security program.

Threat Actors continually adapt their approaches to avoid detection and find new ways to target users using sophisticated methods. Malicious software is frequently disguised as legitimate software to trick users into installing it.

Users should be wary of activating the required permissions even in apps distributed through well-known app portals like Google Play Store – since we have observed banking malware increasingly exploiting the Accessibility Service on Android devices.

Our Recommendations:

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

• Download and install software only from official app portals such as Google Play Store.
• Ensure that Google Play Protect is enabled on Android devices.
• Users should be careful while enabling any permissions on their devices.
• If you find any suspicious applications on your device, uninstall, or delete them immediately. 
• Keep your anti-virus software updated to detect and remove malicious software. 
• Use strong passwords and enable two-factor authentication. 

Additionally, if New Zealand users come across these fraudulent text messages that are in loops, Cert.govt.nz has offered some tips on its official website. We have also asked users to follow their suggestions and report incidents to the officials via the shared phone number listed on their blog website.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Defense Evasion	T1418	Application Discovery
Defense Evasion	T1406	Obfuscated Files or Information
Credential Access/Collection	T1409	Access Stored Application Data
Discovery	T1421	System Network Connections Discovery
Discovery	T1422	System Network Configuration Discovery
Discovery/Collection	T1430	Location Tracking
Discovery	T1426	System Information Discovery
Discovery	T1424	Process Discovery
Collection	T1432	Access Contact List
Collection	T1507	Network Information Discovery
Network Effects	T1449	Exploit SS7 to Redirect Phone Calls/SMS
Impact	T1447	Delete Device Data
Impact	T1448	Carrier Billing Fraud

Indicators Of Compromise (IOCs) 

Indicators	Indicator type	Description
6e3499a5e63209b34ccc787a7ea57953ff5436b51ca4325ea0da4a958f44ea7b	SHA256	Malicious APK
c8c0c074c1b5f9a1c0a383b90609cb8c0a0734a5a543af88fafd2b735d54c663	SHA256	Malicious APK
hxxp://yoquqwxxjttsmuh[.]ru/p.php	URL	Communicating URL
hxxp://gsvjcagswqsaosn[.]ru/p.php	URL	Communicating URL
hxxp://kkwpifwkkxilltk[.]ru/p.php	URL	Communicating URL
hxxp://revgmkegctflpes[.]ru/p.php	URL	Communicating URL
hxxp://diekqueqmlpmofa[.]cn/p.php	URL	Communicating URL
hxxp://asfnfpfibhtrafy[.]ru/p.php	URL	Communicating URL

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.