During our routine threat hunting exercise, Cyble Research Labs came across a sample of the FluBot malware from our OSINT research. This variant calls itself “Voicemail” to trick users into thinking that it’s the default Voicemail app.
FluBot is a type of malware that operates by taking over devices, collecting sensitive information from them, and even sending messages to the victim’s contacts.
The application uses Smishing (a combination of SMS+Phishing) attacks to spread the malware. In the case of phishing, attackers send fraudulent emails that trick recipients into opening an attachment which includes malware, or by clicking on a malicious link. In the case of Smishing, emails are replaced by text messages.
Cyble Research Labs downloaded the malware sample and performed a detailed analysis. Through our analysis, we determined that the malware performs suspicious activities such as reading Contact data, SMS data, and device notifications.
The malware explicitly requests users for complete control of their devices. After gaining full access and permissions, the malware further enhances its functionalities.
The image below shows the statistical view of FluBot samples distributed by the attackers observed through our open-source analysis from one of our Threat hunting sources. Refer to Figure 1.
Technical Analysis
APK Metadata Information
Figure 2 shows the metadata information of the application.
We have outlined the flow of the application and the various activities conducted by it. Refer to Figure 3.
- The application asks the users to turn on the accessibility service.
- The application asks for complete control of the device.
- The application asks the users to allow access to notifications.
- The application asks the users to allow it to replace the default SMS app. Once it gets this permission, the application can handle SMS data.
Upon simulating the application, it requests that users enable the Accessibility service. Attackers can abuse this service to carry out malicious activities such as clicking buttons remotely to gain admin privileges and trick users into clicking on overlay content over the screen. Refer to Figure 4.
Figure 5 shows the malware asking users to give them complete access to the device. Once the malware gains complete control over the device, it can perform the following activities:
- View and control screen.
- Control device data, including contacts, SMSs, and pictures.
- Delete or manipulate the device’s data.
Figure 6 shows that the malware asks the users to enable Notification access for the application. Once the application gets notification access, it can read all notifications on the device, including the SMS data of the device.
Upon receiving notification access, the application requests users to make the application their default SMS app. Upon becoming the default SMS app, the app proceeds with its malicious activities. Refer to Figure 7.
Manifest Description
Voicemail requests sixteen different permissions, of which the attackers could abuse seven. In this case, the malware can:
- Reads SMS and Contacts data.
- Make calls without user intervention
- Delete SMS data
- Can kill background process of other apps
- Receive and send SMSs
We have listed the dangerous permissions below.
| Permissions | Description |
| READ_SMS | Access phone messages. |
| READ_CONTACTS | Access phone contacts. |
| WRITE_SMS | Allows applications to write SMS messages. Malicious apps may manipulate SMS data. |
| KILL_BACKGROUND_PROCESSES | Allows applications to kill the background processes of other apps. |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface to confirm the call. |
| RECEIVE_SMS | Allows an application to receive SMS messages. |
| SEND_SMS | Allows an application to send SMS messages. |
Upon reviewing the code of the application, we identified the launcher activity of the malicious app as shown in Figure 8.
We were able to identify that the permissions and services defined in the manifest file can replace the default Messages app. After getting default app permissions, this app will be able to handle sending and receiving SMSs and MMSs. Refer to Figure 9.
Figure 10 demonstrates that the malware has defined customized services that leverage the BROADCAST_WAP_PUSH service. Using this service, an application can broadcast a notification stating that a WAP Push message has been received.
Threat Actors (TAs) can abuse this service to generate false MMS message receipts or replace the original content with malicious content. As per Google, this service is not for use by third-party applications.
Figure 11 demonstrates that the malware has defined customized services that leverage the permission SEND_RESPOND_VIA_MESSAGE, permitting the application to send a request to other messaging apps to handle Respond-via-Message action for incoming calls.
Source Code Description
The code given in Figure 12 shows that the malware is capable of reading Contact data.
The code shown in Figure 13 demonstrates that the malware is capable of sending text messages as well.
The code in Figure 14 shows that the malware is capable of reading notification data and removing the notifications altogether.
The code shown in Figure 15 demonstrates the encryption technique used by the malware to encrypt the data.
The below code shows encrypted strings. After decrypting some strings, we determined that they also contain the FluBot malware variant version information. Refer to Figure 16.
The malware obfuscates certain data such as strings, Command and Control (C&C) Commands, malicious APIs using custom encryption techniques.
Upon analyzing the sample, we found that the malware uses a simple XOR algorithm. The input to the algorithm has been stored in the form of integers. Refer to Figure 17.
Traffic Analysis Description
During our traffic analysis, we observed the malware communicating with various IP addresses. Refer to Figure 18.
Figure 19 shows that the malware has hardcoded data, i.e., the malicious URL, based out of Russia.
Conclusion
Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them.
Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid exposure to such attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store.
- Ensure that Google Play Protect is enabled on Android devices.
- Users should be careful while enabling any permissions on their devices.
- If you find any suspicious applications on your device, uninstall, or delete them immediately.
- Use the shared IOCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your Android device, OS, and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204.002 | User Execution: Malicious File |
| Defense Evasion | T1418 | Application Discovery |
| Credential Access | T1412 T1432 | Capture SMS Messages Access Contacts List |
| Impact | T1565 | Manipulation |
Indicators of Compromise (IOCs)
| Indicators | Indicator type | Description |
| 9624131c01da6d5b61225a465a83efd32291fa3f2352445c3c052d9d8cfb2daa | SHA256 | Malicious APK |
| hxxp://85.214.228[].]140/p.php | IP | Communicating URL |
| asfnfpfibhtrafy[].]ru | URL | C2 Domain |
| hxxp://87.106.18[].]146/p.php | IP | Communicating URL |
| kkwpifwkkxilltk[.]ru | URL | C2 Domain |
| hxxp://181.129.180[].]251/p.php | IP | Communicating URL |
| poceeubeciuqyto[].]ru | URL | C2 Domain |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.