{
	"id": "18f7e0bf-f83e-4699-9f6a-7443ae0bc7b9",
	"created_at": "2026-04-06T00:09:49.433554Z",
	"updated_at": "2026-04-10T03:21:05.674397Z",
	"deleted_at": null,
	"sha1_hash": "755d3fe575f34dd67959fb6293529f6df810d4c2",
	"title": "FluBot Variant Posing As Default Android Voicemail App",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1744979,
	"plain_text": "FluBot Variant Posing As Default Android Voicemail App\r\nPublished: 2021-09-09 · Archived: 2026-04-05 18:14:25 UTC\r\nFluBot malware operates by taking over devices, collecting sensitive information, and even sending messages to the\r\nvictim’s contacts.\r\nDuring our routine threat hunting exercise, Cyble Research Labs came across a sample of the FluBot malware from our\r\nOSINT research. This variant calls itself “Voicemail” to trick users into thinking that it’s the default Voicemail app.\r\nFluBot is a type of malware that operates by taking over devices, collecting sensitive information from them, and even\r\nsending messages to the victim’s contacts.\r\nThe application uses Smishing (a combination of SMS+Phishing) attacks to spread the malware. In the case of\r\nphishing, attackers send fraudulent emails that trick recipients into opening an attachment which includes malware, or\r\nby clicking on a malicious link. In the case of Smishing, emails are replaced by text messages.\r\nWorld's Best AI-Native Threat Intelligence\r\nCyble Research Labs downloaded the malware sample and performed a detailed analysis. Through our analysis, we\r\ndetermined that the malware performs suspicious activities such as reading Contact data, SMS data, and device\r\nnotifications.\r\nThe malware explicitly requests users for complete control of their devices. After gaining full access and permissions,\r\nthe malware further enhances its functionalities.\r\nThe image below shows the statistical view of FluBot samples distributed by the attackers observed through our open-source analysis from one of our Threat hunting sources. Refer to Figure 1.\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 1 of 13\n\nFigure 1: Statistical View\r\nTechnical Analysis\r\nAPK Metadata Information\r\nFigure 2 shows the metadata information of the application.\r\nFigure 2: Metadata Information\r\nWe have outlined the flow of the application and the various activities conducted by it. Refer to Figure 3.\r\nThe application asks the users to turn on the accessibility service.\r\nThe application asks for complete control of the device.\r\nThe application asks the users to allow access to notifications.\r\nThe application asks the users to allow it to replace the default SMS app. Once it gets this permission, the\r\napplication can handle SMS data.\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 2 of 13\n\nFigure 3: Application Start Flow\r\nUpon simulating the application, it requests that users enable the Accessibility service. Attackers can abuse this service\r\nto carry out malicious activities such as clicking buttons remotely to gain admin privileges and trick users into clicking\r\non overlay content over the screen. Refer to Figure 4.\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 3 of 13\n\nFigure 4: Requests Accessibility Service\r\nFigure 5 shows the malware asking users to give them complete access to the device. Once the malware gains complete\r\ncontrol over the device, it can perform the following activities:\r\nView and control screen.\r\nControl device data, including contacts, SMSs, and pictures.\r\nDelete or manipulate the device’s data.\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 4 of 13\n\nFigure 5: Asks for Full Control\r\nFigure 6 shows that the malware asks the users to enable Notification access for the application. Once the application\r\ngets notification access, it can read all notifications on the device, including the SMS data of the device.\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 5 of 13\n\nFigure 6: Asks for Notification Access\r\nUpon receiving notification access, the application requests users to make the application their default SMS app. Upon\r\nbecoming the default SMS app, the app proceeds with its malicious activities. Refer to Figure 7.\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 6 of 13\n\nFigure 7: Asks for Default SMS App Permission\r\nManifest Description\r\nVoicemail requests sixteen different permissions, of which the attackers could abuse seven. In this case, the malware\r\ncan:\r\nReads SMS and Contacts data.\r\nMake calls without user intervention\r\nDelete SMS data\r\nCan kill background process of other apps\r\nReceive and send SMSs\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 7 of 13\n\nWe have listed the dangerous permissions below.\r\nPermissions Description\r\nREAD_SMS Access phone messages.\r\nREAD_CONTACTS Access phone contacts.\r\nWRITE_SMS\r\nAllows applications to write SMS messages. Malicious\r\napps may manipulate SMS data.\r\nKILL_BACKGROUND_PROCESSES\r\nAllows applications to kill the background processes of\r\nother apps.\r\nCALL_PHONE\r\nAllows an application to initiate a phone call without\r\ngoing through the Dialer user interface to confirm the\r\ncall.\r\nRECEIVE_SMS Allows an application to receive SMS messages.\r\nSEND_SMS Allows an application to send SMS messages.\r\nTable 1: Permissions’ Description\r\nUpon reviewing the code of the application, we identified the launcher activity of the malicious app as shown in Figure\r\n8.\r\nFigure 8: Launcher Activity\r\nWe were able to identify that the permissions and services defined in the manifest file can replace the default Messages\r\napp. After getting default app permissions, this app will be able to handle sending and receiving SMSs and MMSs.\r\nRefer to Figure 9.\r\nFigure 9: Handles SMS and MMS\r\nFigure 10 demonstrates that the malware has defined customized services that leverage the\r\nBROADCAST_WAP_PUSH service. Using this service, an application can broadcast a notification stating that a\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 8 of 13\n\nWAP Push message has been received.\r\nFigure 10: Using Broadcast WAP Push Permission\r\nThreat Actors (TAs) can abuse this service to generate false MMS message receipts or replace the original content with\r\nmalicious content. As per Goohttps://cyble.com/knowledge-hub/google-dorks-master-advanced-search-hacks/gle, this\r\nservice is not for use by third-party applications.\r\nFigure 11 demonstrates that the malware has defined customized services that leverage the permission\r\nSEND_RESPOND_VIA_MESSAGE, permitting the application to send a request to other messaging apps to handle\r\nRespond-via-Message action for incoming calls.\r\nFigure 11: Using Send Respond VIA Message\r\nSource Code Description\r\nThe code given in Figure 12 shows that the malware is capable of reading Contact data.\r\nFigure 12: Reads Contact Data\r\nThe code shown in Figure 13 demonstrates that the malware is capable of sending text messages as well.\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 9 of 13\n\nFigure 13: Sending SMS\r\nThe code in Figure 14 shows that the malware is capable of reading notification data and removing the notifications\r\naltogether.\r\nFigure 14: Reads Notification Data\r\nThe code shown in Figure 15 demonstrates the encryption technique used by the malware to encrypt the data.\r\nFigure 15: Encryption Technique Used by the Malware\r\nThe below code shows encrypted strings. After decrypting some strings, we determined that they also contain the\r\nFluBot malware variant version information. Refer to Figure 16.\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 10 of 13\n\nFigure 16: Encrypted Strings\r\nThe malware obfuscates certain data such as strings, Command and Control (C\u0026C) Commands, malicious APIs using\r\ncustom encryption techniques.\r\nUpon analyzing the sample, we found that the malware uses a simple XOR algorithm. The input to the algorithm has\r\nbeen stored in the form of integers. Refer to Figure 17.\r\nFigure 17: Decryption Code\r\nTraffic Analysis Description\r\nDuring our traffic analysis, we observed the malware communicating with various IP addresses. Refer to Figure 18.\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 11 of 13\n\nFigure 18: Communicates with the Server\r\nFigure 19 shows that the malware has hardcoded data, i.e., the malicious URL, based out of Russia.\r\nFigure 19: Hardcoded Data\r\nConclusion\r\nThreat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated\r\ntechniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing\r\nthem.\r\nUsers should install applications only after verifying their authenticity and install them exclusively from the official\r\nGoogle Play Store to avoid exposure to such attacks.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:   \r\nDownload and install software only from official app stores like Google Play Store.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nUsers should be careful while enabling any permissions on their devices.\r\nIf you find any suspicious applications on your device, uninstall, or delete them immediately. \r\nUse the shared IOCs to monitor and block the malware infection. \r\nKeep your anti-virus software updated to detect and remove malicious software. \r\nKeep your Android device, OS, and applications updated to the latest versions. \r\nUse strong passwords and enable two-factor authentication. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution T1204.002 User Execution: Malicious File\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 12 of 13\n\nDefense Evasion T1418  Application Discovery\r\nCredential Access\r\nT1412\r\nT1432\r\nCapture SMS Messages\r\nAccess Contacts List\r\nImpact T1565 Manipulation\r\nIndicators of Compromise (IOCs)  \r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\n9624131c01da6d5b61225a465a83efd32291fa3f2352445c3c052d9d8cfb2daa SHA256 Malicious APK\r\nhxxp://85.214.228[].]140/p.php IP\r\nCommunicating\r\nURL\r\nasfnfpfibhtrafy[].]ru URL C2 Domain\r\nhxxp://87.106.18[].]146/p.php IP\r\nCommunicating\r\nURL\r\nkkwpifwkkxilltk[.]ru URL C2 Domain  \r\nhxxp://181.129.180[].]251/p.php IP\r\nCommunicating\r\nURL\r\npoceeubeciuqyto[].]ru URL C2 Domain  \r\nAbout Us\r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one\r\nof the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in\r\nAustralia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.\r\nSource: https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nhttps://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/"
	],
	"report_names": [
		"flubot-variant-masquerading-as-the-default-android-voicemail-app"
	],
	"threat_actors": [],
	"ts_created_at": 1775434189,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/755d3fe575f34dd67959fb6293529f6df810d4c2.pdf",
		"text": "https://archive.orkl.eu/755d3fe575f34dd67959fb6293529f6df810d4c2.txt",
		"img": "https://archive.orkl.eu/755d3fe575f34dd67959fb6293529f6df810d4c2.jpg"
	}
}