PSA: Rescue your phone from the FluBot SMS malware with malninstall
FluBot is an Android-targeting malware that impersonates other apps on a victim’s phone to steal their banking credentials and other private information. It spreads through SMS and can eavesdrop on incoming notifications, read and write SMSes, make calls, and transmit the victims’ entire contact list back to its control center. The virus also lures victims into changing the Accessibility settings on their phones, forbidding them to uninstall it. If you are also a victim of FluBot and are unable to remove it from your smartphone, you should use an app called “malinstall” to get rid of this malware.
FluBot is transmitted mainly through weblinks shared via SMS. These SMSes have persuasive texts that entice the user into clicking on the link, which usually points to a hacked website where the FluBot installation package is hosted. The installer for the malware is hidden within other genuine-looking APKs. When users download and install these APKs, FluBot is also installed on their devices. This malware then invites users to grant access to Android’s Accessibility service and once that happens, it can execute screen taps and other commands without the knowledge of the user.
Swiss cybersecurity firm PRODAFT analyzed FluBot and collected their findings in a report which can be found here (via The Record). The report says FluBot can draw fake webview on top of the target applications to steal users’ private information like online banking login details or credit card details. FluBot downloads fake login screens of different banks from its server almost instantaneously and presents it on top of the legitimate application, leaving hardly any room for suspicion. As you would expect, the details entered by users on these pages are sent to FluBot’s control center and misused thereafter.
FluBot lays low on a user’s smartphone in the form of fake applications. Some of the names used by the attackers for these fake apps include “FedEx,” “DHL,” “Correos,” and “Chrome.” The malware also replaces a user’s default SMS app to intercept all banking-related one-time passwords (OTPs) or access keys received via SMS. Additionally, by transmitting a user’s contact list to its server, the malware sends similar SMSes to other people in the contacts to woo them like the original victim.
This propensity to spread in a flu-like fashion with exponential growth is what earns the malware its name as well. The malware already has access to mobile phone numbers of 11 million Spanish users (nearly 25% of the Spanish population) while researchers at PRODAFT predict that it will collect all phone numbers in Spain if it is not stopped in time.
How to remove FluBot?
One of the most concerning aspects of the FluBot malware is that once it gets access to Accessibility services, it prevents users from uninstalling. When a user tried to uninstall an infected app, they get a toast message saying, “You can not perform this action on a service system,” by force-closing the Settings app, and that makes it even more gruesome. To address this issue, XDA Recognized Developer linuxct has created an open-source app called malninstall.
To uninstall FluBot, malninstall is temporarily set as the default launcher. This inhibits the malware from simulating unwanted taps in the UI and lets the user successfully uninstall it without any hindrance. Once the uninstallation process is complete, malninstall prompts users to revert back to the previous launcher. You can see it in action in the video below:
If you are infected by FluBot, you can download the latest version of malninstall from GitHub by clicking or tapping here. You can also find all the older releases on the GitHub page. For more details, you can visit the malninstall XDA thread linked below: