Finland's National Cyber Security Center (NCSC-FI) has posted a warning against growing attacks by the FluBot Android malware via SMS and MMS.

FluBot’s SMS campaign

NCSC-FI claimed that thousands of malicious messages were sent during this campaign.
  • To lure Android users, attackers use SMS messages containing links to voicemail, missed call notifications, or alerts about incoming money from an unknown financial transaction.
  • The links in these messages redirect victims to a website hosting the FluBot APK, which the victims are urged to download and install to get more details about the transaction.
  • The application urges the victims to allow and grant risky permissions on Android devices, such as managing phone calls, reading the user's address book, and accessing SMS data.
  • Attackers use the contacts list to spread a second-wave SMS from compromised devices. These messages appear to come from a known source and recipients are more likely to open them.
Likewise, iPhone users are redirected to premium subscription frauds and other scams. Apparently, attackers are not leaving any opportunity to make money after a successful infection.

What can FluBot do?

  • Upon infecting an Android device, FluBot steals financial account credentials by overlaying phishing pages on top of genuine banking and cryptocurrency applications.
  • The malware can access SMS data, perform phone calls, and monitor incoming notifications to steal temporary authentication codes, such as OTP, required for regular login credentials.


The SMS campaign is still ongoing and targets Android/iPhone devices to steal financial account credentials. Thus, it is highly recommended to stay alert when receiving hyperlinks in SMS from unknown or suspicious sources. Further, if the device is already infected with FluBot, resetting to factory defaults should remove the malware. 
Cyware Publisher