Watch out! FluBot Android malware attacks are running rampant across multiple countries as threat actors evolve their strategies. The malware, which is very prominent in several European countries, was recently spotted in an attack targeting users in the U.S. Another report also sheds light on the malware attack against Android users in the U.K.

What is FluBot now up to?

  • Recent studies on the FluBot banking malware confirmed that there has been a spike in the number of malicious distribution pages affecting a number of Australian, Polish, and German banks.
  • The maligned web pages were distributed via text messages impersonating parcel tracking services or voicemail notifications.
  • The interesting aspect of these campaigns involved the manner in which FluBot used the overlay of multiple popular banking apps to steal user credentials.
  • Moreover, researchers discovered that the malware used a Domain Generation Algorithm (DGA) to stay under the radar during the infection process.

The interesting aspect of overlaying the apps

  • The malicious pages that pretend to be fake voicemail notifications or parcel delivery services are actually controlled by C2 servers handled by attackers.
  • The users are asked to download a FluBot APK on the pretext of tracking their package or to listen to the voicemail.
  • Once installed, the infected devices contact a C2 server by executing the DGA, and download overlays for banking applications installed on victims’ devices.
  • This technique enabled the attackers to take over apps related to Consorsbank, N26, Sparda, VR Banking Classic that have more than 20 million downloads. Among the other affected banks are Bank Millenium, BNP Paribas, Getin Bank, and Plusbank24.


To reduce the risk of becoming a victim of FluBot, mobile users are recommended to be wary of unexpected SMS messages. Refraining from installing applications outside of legitimate app stores also helps in minimizing security risks.

Cyware Publisher