{
	"id": "b48c1b1a-d325-46a4-a1af-0df4226dfb35",
	"created_at": "2026-04-06T00:10:16.439736Z",
	"updated_at": "2026-04-10T03:30:32.821545Z",
	"deleted_at": null,
	"sha1_hash": "694d7757ecb8620dcec08b65a0ff9d6fa054b735",
	"title": "Android/Flubot: preparing for a new campaign?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 493543,
	"plain_text": "Android/Flubot: preparing for a new campaign?\r\nBy @cryptax\r\nPublished: 2021-03-29 · Archived: 2026-04-05 20:55:39 UTC\r\n4 min read\r\nMar 29, 2021\r\nUpdate March 29, 2021: a new campaign is confirmed, in Hungary. See this tweet. It looks like the version 3.7 I\r\nanalyzed wasn’t totally finished, because in the one I analyze, the campaign number nor the DGA haven’t been\r\nupdated, while the tweet shows a version 3.7 where all modifications have been made.\r\nMarch 29, 2nd update: this is moving rapidly, version 3.8 is already out: see here.\r\nGet @cryptax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSince Friday (March 26, 2021), Android/Flubot is propagating a new version, v3.7. For reminder,\r\nAndroid/Flubot is an Android banking malware, which surfaced in November 2020. In short, the malware abuses\r\nyet and again Android’s Accessibility Services. For example, to disable Play Protect, or display overlay windows\r\nto grab credit card info. But it also abuses the Accessibility Services for features I had not seen in other malware\r\nbefore like automatically accepting to send SMS messages. Read this excellent analysis from Prodaft for more\r\ndetails. I won’t repeat what’s in the report and only focus on differences.\r\nNew version 3.7 is currently distributing!\r\nThis video shows Flubot 3.6 in action, and communicating with a live C\u0026C. The name of the C\u0026C\r\nis generated via a proprietary algorithm. The communication with the C\u0026C is encrypted : we use a\r\nFrida hook to display the messages before encryption or after decryption. The video captures the\r\nC\u0026C requesting list of contacts, SMS, disabling Play Protect and asking to propagate malware via\r\nSMS with links to infected sites. Those infected sites currently propagate v3.7.\r\nThe list of APK distribution domains is long (see at the end of this article in section “IoCs”) and changes\r\nfrequently. The websites check the browser’s user agent matches an Android platform, and won’t respond to other\r\nplatforms (i.e you have to append a fake Android user agent to get the pages). The served page is the same as in\r\nProdaft’s report, except we currently view the German campaign.\r\nhttps://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06\r\nPage 1 of 6\n\nPress enter or click to view image in full size\r\nWhen you click to download the application, you get a recent version of the malware.\r\nSeveral of these domains currently serve an APK sha256\r\ne4d70de608d9491119bacd0729a5a2f55ce477227bd7b55d88fa2086486e886d which an even more recent version of\r\nFlubot. This sample is packed (like others) and is a new version, 3.7, of Flubot.\r\nNew version of the day for Android/Flubot: 3.7 (March 26, 2021)\r\nWhat’s new in v3.7?\r\nActually, close to nothing both in the code and obfuscated strings. Reminder: strings are obfuscated using\r\n“paranoid” Java library. You can de-obfuscate all strings of v3.6 and v3.7 with my stand-alone source code.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06\r\nPage 2 of 6\n\nDe-obfuscated strings of v3.6 left, and v3.7 right. There are close to no difference.\r\nThe only difference lies in preparing support for the hungarian language.\r\nPress enter or click to view image in full size\r\nThe code shows new localized strings for Hungary in v3.7.\r\nDoes this mean the next campaign of Flubot is going to target Hungarian end-users? It’s quite uncertain\r\ncurrently, especially because although the HU_TEXT entry is present, hungarian strings haven’t been added yet,\r\nand the rest of the code does not support .hu locale. In addition, the campaign indicator\r\nProgConfig.CAMP_NUM_PREF is still set to Germany (49).\r\nTake away summary\r\nBecause of string obfuscation, the obfuscated chunks change for each version of Flubot. However, the de-obfuscated content is very similar. Actually, the only notable change in 3.7 looks like preparation for\r\nsupport of the hungarian language. Yet, the current campaign still targets german speaking end-users.\r\nYou can watch a video of Flubot in action (see beginning of article). The communication flow with the\r\nC\u0026C thanks to a Frida hook which displays text before encryption.\r\nIf you wish to work on Flubot, several scripts (obfuscation, domain name generation, Frida hooks) are\r\navailable: see References below\r\nAn updated list of active C\u0026Cs and distribution hosts is provided in Appendix.\r\nReferences\r\nhttps://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06\r\nPage 3 of 6\n\nFlubot Malware Analysis Report. A must-read!\r\nDGA standalone algorithm, Frida hook by Prodaft. My versions here.\r\nUnpacking Flubot with House. Actually, this is a bit overkill for this sample as it simply sits in a\r\nprivate directory of the app…\r\nIoCs\r\nList of active C\u0026Cs:\r\nBoth domains have changed since Prodaft’s report and currently go to the following (March 26, 2021):\r\nhxxp://nwjkvblqxgdafpu.ru\r\nhxxp://xnekrtnyfyoqwic.ru\r\nList of APK distribution domains:\r\nhxxp://jfourtshirtmart.com/track/?4pbmxy24vzw\r\nhxxp://trace-eye-d.com/track/?59wrgdjd4g1e4d70de608d9491119bacd0729a5a2f55ce477227bd7b55d88fa2086486e\r\nhxxp://trace-eye-d.com/track/?v0nlimrsvmq\r\nhxxp://cowdigital.co.uk/pkge/?va37j7103yks\r\nhxxp://beautycenter.yourprofitguru.com/pkge/?3ziq0yiu3t6\r\nhxxp://cowdigital.co.uk/pkge/?vh7xoxjd1jr\r\nhxxp://senanginsta.com/trck/?0q3wnaqrmpe\r\nhxxp://webridgeinnovation.com/trck/?1zv9yaumiv5\r\nhxxp://cpap-sales.com/pkg/?xi10u7rea8o4\r\nhxxp://trace-eye-d.com/track/?ge2om10nbk7z\r\nhxxp://humberto-cardenas.com/pkge/?4z9m9y511010r\r\nhxxp://webridgeinnovation.com/trck/?dcxd2d5u477\r\nhxxp://jfourtshirtmart.com/track/?xsst9rx6j1x\r\nhxxp://cpap-sales.com/pkg/?xzutci86kfh\r\nhxxp://jfourtshirtmart.com/track/?bg9de9wp779\r\nhxxp://trace-eye-d.com/track/?5wy9ly108m6m\r\nhxxp://jfourtshirtmart.com/track/?iuenfwdd45k\r\nhxxp://humberto-cardenas.com/pkge/?210z3djromp2\r\nhxxp://cowdigital.co.uk/pkge/?o0tqs8kaj1r\r\nhxxp://cpap-sales.com/pkg/?nsnh10rlc10ts\r\nhxxp://gainsuperno1.com/pkg/?10vbdlci8h9x\r\nhxxp://gainsuperno1.com/pkg/?g10kupbvsrl\r\nhxxp://jfourtshirtmart.com/track/?6ix9i10tf84b\r\nhxxp://humberto-cardenas.com/pkge/?52q79dwav2h\r\nhxxp://jfourtshirtmart.com/track/?xudbym9103pt\r\nhxxp://webridgeinnovation.com/trck/?jzvjzp10qnnp\r\nhxxp://webridgeinnovation.com/trck/?amjx83vgod4\r\nhxxp://jfourtshirtmart.com/track/?qmm1r3u63px\r\nhxxp://trace-eye-d.com/track/?4pob68ughz8\r\nhxxp://flamingocantina.com/pkge/?jayznpsswe0\r\nhttps://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06\r\nPage 4 of 6\n\nhxxp://humberto-cardenas.com/pkge/?77681019vdjd\r\nhxxp://senanginsta.com/trck/?ab99gza5z7b\r\nhxxp://jfourtshirtmart.com/track/?sdwflwnnshe\r\nhxxp://webridgeinnovation.com/trck/?j63bemodkm0\r\nhxxp://humberto-cardenas.com/pkge/?yz4q79olg0r\r\nhxxp://trace-eye-d.com/track/?ywiw102y8mr5\r\nhxxp://webridgeinnovation.com/trck/?tg7f56kvshk\r\nhxxp://gainsuperno1.com/pkg/?7oqigahzjby\r\nhxxp://cpap-sales.com/pkg/?42iu4srbp5c\r\nhxxp://cowdigital.co.uk/pkge/?pnmqknfkfcx\r\nhxxp://webridgeinnovation.com/trck/?v3vothul1r5\r\nhxxp://cowdigital.co.uk/pkge/?1muij0wwi5j\r\nhxxp://gainsuperno1.com/pkg/?iluyttg0kv4\r\nhxxp://senanginsta.com/trck/?510mh70eqe85\r\nhxxp://humberto-cardenas.com/pkge/?q101xpppyahh\r\nhxxp://cowdigital.co.uk/pkge/?tg10yhuo57g6\r\nhxxp://gainsuperno1.com/pkg/?wdmdec0t4r3\r\nhxxp://humberto-cardenas.com/pkge/?x0adna53w5u\r\nhxxp://senanginsta.com/trck/?9qxruq8bm9e\r\nhxxp://cpap-sales.com/pkg/?dnoeswgaxvo\r\nhxxp://cowdigital.co.uk/pkge/?noldlm17pun\r\nhxxp://gainsuperno1.com/pkg/?n34b53n7v810\r\nhxxp://cpap-sales.com/pkg/?lirc2arb10s1\r\nhxxp://cowdigital.co.uk/pkge/?sg9dvijrol1\r\nhxxp://humberto-cardenas.com/pkge/?x4vlm4dgiic\r\nhxxp://gainsuperno1.com/pkg/?waex6qenhzm\r\nhxxp://cowdigital.co.uk/pkge/?7q5th1smnma\r\nhxxp://cpap-sales.com/pkg/?401ewt94dbo\r\nhxxp://beautycenter.yourprofitguru.com/pkge/?2uejxu4e0oi\r\nhxxp://humberto-cardenas.com/pkge/?jk54ogi6gei\r\nhxxp://gainsuperno1.com/pkg/?yp9iezvpxxn\r\nhxxp://webridgeinnovation.com/trck/?azk6xlt1orf\r\nhxxp://jfourtshirtmart.com/track/?im6g3uwrgiq\r\nhxxp://trace-eye-d.com/track/?wvftkbhkq8o\r\nhxxp://senanginsta.com/trck/?vy310n5x4syr\r\nhxxp://senanginsta.com/trck/?vuszj6mhpix\r\nhxxp://cpap-sales.com/pkg/?1310igiio7cf\r\nhxxp://gainsuperno1.com/pkg/?qt10108u8ia80\r\nhxxp://trace-eye-d.com/track/?h8m92b66i18\r\nhxxp://cpap-sales.com/pkg/?i68mh31gr0h\r\nhxxp://humberto-cardenas.com/pkge/?hoct5ed9na9\r\nhxxp://cowdigital.co.uk/pkge/?knpzykweo6i\r\nhxxp://gainsuperno1.com/pkg/?jr09puq4ef\r\nhxxp://cpap-sales.com/pkg/?gnhf81a3m8e\r\n— Cryptax\r\nhttps://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06\r\nPage 5 of 6\n\nSource: https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06\r\nhttps://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06"
	],
	"report_names": [
		"android-flubot-preparing-for-a-new-campaign-2f7563fc6c06"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434216,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/694d7757ecb8620dcec08b65a0ff9d6fa054b735.pdf",
		"text": "https://archive.orkl.eu/694d7757ecb8620dcec08b65a0ff9d6fa054b735.txt",
		"img": "https://archive.orkl.eu/694d7757ecb8620dcec08b65a0ff9d6fa054b735.jpg"
	}
}