Thanks to visit codestin.com
Credit goes to attack.mitre.org

  1. Home
  2. Software
  3. FluBot

FluBot

FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.[1][2] An international law enforcement operation of 11 countries eventually disrupted the spread of FluBot.[3]

ID: S1067
Type: MALWARE
Platforms: Android
Version: 1.1
Created: 28 February 2023
Last Modified: 27 March 2025
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1517 Access Notifications

FluBot can access app notifications.[1]
Mobile T1437 .001 Application Layer Protocol: Web Protocols

FluBot can use HTTP POST requests on port 80 for communicating with its C2 server.[1]
Mobile T1637 .001 Dynamic Resolution: Domain Generation Algorithms

FluBot can use Domain Generation Algorithms to connect to the C2 server.[1]
Mobile T1521 .002 Encrypted Channel: Asymmetric Cryptography

FluBot has encrypted C2 message bodies with RSA and encoded them in base64.[1]
Mobile T1646 Exfiltration Over C2 Channel

FluBot can send contact lists to its C2 server.[1]
Mobile T1628 .002 Hide Artifacts: User Evasion

FluBot can use locale.getLanguage() to choose the language for notifications and avoid user detection.[1]
Mobile T1629 .001 Impair Defenses: Prevent Application Removal

FluBot can use Accessibility Services to make removal of the malicious app difficult.[2]
.003 Impair Defenses: Disable or Modify Tools

FluBot can disable Google Play Protect to prevent detection.[1][3]

Mobile T1417 .002 Input Capture: GUI Input Capture

FluBot can add display overlays onto banking apps to capture credit card information.[1]
Mobile T1406 Obfuscated Files or Information

FluBot can obfuscated class, string, and method names in newer malware versions.[1]
Mobile T1660 Phishing

FluBot has been distributed via malicious links in SMS messages.[3]

Mobile T1636 .003 Protected User Data: Contact List

FluBot has used the contact list to infect more devices.[1][3]

.004 Protected User Data: SMS Messages

FluBot can intercept SMS messages and USSD messages from Telcom operators.[1]
Mobile T1604 Proxy Through Victim

FluBot can use a SOCKS proxy to evade C2 IP detection.[1]
Mobile T1582 SMS Control

FluBot can send SMS phishing messages to other contacts on an infected device.[1][2]
Mobile T1409 Stored Application Data

FluBot has collected credentials, banking details and other information from the victim device.[3]

References

  1. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
  2. Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.
  1. Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.