Password-stealing Android malware uses sneaky security warning to trick you into downloading

The text messages claims that users need to download a security update to rid their device of FluBot malware - but the link actually installs that very malware.
Written by Danny Palmer, Senior Writer

One particularly sneaky piece of malware is trying to trick Android users into downloading it by claiming that their smartphone is already infected with that very same malware and that they need to download a security update.

The text message scam delivers FluBot, a form of Android malware that steals passwords, bank details and other sensitive information from infected smartphones. FluBot also exploits permissions on the device to spread itself to other victims, allowing the infection chain to continue. While the links can be delivered to iPhones, FluBot can't infect Apple devices. 

FluBot attacks have commonly come in the form of text messages that claim the recipient has missed a delivery, asking them to click a link to install an app to organise a redelivery. This app installs the malware. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

But that isn't the only technique cybercriminals are using to trick people into downloading FluBot malware - New Zealand's Computer Emergency Response Team (CERT NZ) has issued a warning over scam text messages that claim the user is already infected with FluBot and they need to download a security update. 

After following the link, the user sees a red warning screen claiming "your device is infected with FluBot malware" and explicitly states that FluBot is Android spyware that aims to steal financial login and password data.  

At this point, the device is not actually infected with anything at all, but the reason the malware distributors are being so "honest" about FluBot is because they want the victim to panic and follow a link to install a "security update" which actually infects the smartphone with malware.  

This provides the attackers with access to all the financial information they want to steal, as well as the ability to spread FluBot malware to contacts in the victim's address book. 

FluBot has been a persistent malware problem around the world, but as long as the user doesn't click on the link, they won't get infected. Anyone who fears they've clicked a link and downloaded FluBot malware should contact their bank to discuss if there's been any unusual activity and should change all of their online account passwords to stop cybercriminals from having direct access to the accounts. 

SEE: Don't want to get hacked? Then avoid these three 'exceptionally dangerous' cybersecurity mistakes

If a user has been infected with FluBot, it's also recommended they perform a factory reset on their phone in order to remove the malware from the device. 

It can be difficult to keep up with mobile alerts, but it's worth remembering that it's unlikely that companies will ask you to download an application from a direct link – downloading official apps via official app stores is the best way to try to keep safe when downloading apps. 


Editorial standards