3 min Security

Europol shuts down FluBot malware

Europol shuts down FluBot malware

FluBot’s infrastructure was taken down by a joint operation of Europol and more than 10 police forces worldwide.

The operation, spearheaded by the Dutch police, freed 10,000 victims from FluBot’s network. Since 2020, the malware has been distributed through text messages in several countries. By shutting down the infrastructure, the police were able to prevent 6.5 million messages from being sent.

The operation was prepared by Europol and police units in 11 countries. As far as we know, the distributors and developers of FluBot have not been found. The Dutch police force stated that the malware can no longer be spread, but did not clarify how the network was taken down.

In some cases, cybercrime is tackled by seizing physical servers, as exemplified by the arrests of REvil in Russia and Hydra Market in Germany. In the case of FluBot, the operation appears to be digital in nature. “A virtual command post was set up by Europol on the day of the takedown to ensure seamless coordination between all the authorities”, shared a spokesperson.

FluBot

FluBot’s distributors have been sending text messages to Android users since 2020. The text messages request users to download an app to track a package or listen to a voicemail. A link is attached. The link refers to a direct download of the FluBot application. Upon installation, the application asks permission for ‘Accessibility settings’. Victims agree, after which the application harvests login details and sends data to a remote server.

Ultimately, cybercriminals gain access to digital bank accounts, crypto wallets and other sensitive systems. Most victims are unaware of the infection. Europol recommends that, in case of doubt, a device should be reset to the factory settings. That’s the most reliable way to remove the malware.

Accessibility API

FluBot uses Google’s Accessibility API to ask permission for ‘Accessibility settings’. If a user gives permission, the application can control parts of a device. Google designed the feature to aid people with disabilities. Users that are unable to change device settings themselves can authorize an application to take over.

Although Google meant well, the feature is popular among malware developers. They abuse the API to ensure that apps cannot be removed. Google is aware of the problem. To prevent abuse, the Accessibility API will be changed on 1 November 2022.

Police against cybercrime

FluBot’s takedown was spearheaded by the cybercrime team of the Dutch police force in the east of the Netherlands. The Dutch police force operates with ten cybercrime teams, one for each region. The teams focus on cybercrime investigations year-round. The Rotterdam division recently contributed to the arrest of two people suspected of involvement in an international phishing group.