{
	"id": "7c29073a-30cd-45d0-9955-eeac0eb0671d",
	"created_at": "2026-04-06T00:09:46.888225Z",
	"updated_at": "2026-04-10T13:11:44.396862Z",
	"deleted_at": null,
	"sha1_hash": "86b9c95e685187418a8f9abb7821ffcc2455a744",
	"title": "New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 513337,
	"plain_text": "New FluBot Campaign Sweeps through Europe Targeting Android\r\nand iOS Users Alike\r\nBy Filip TRUȚĂ\r\nArchived: 2026-04-05 22:35:01 UTC\r\nFluBot operators are targeting European countries with a renewed smishing campaign, leaping from one country\r\nto another in an intense push to sneak data-stealing malware onto people’s phones.\r\nInitially detected around Easter in Bitdefender’s home country, Romania, the latest FluBot campaign uses the\r\nsame smishing techniques as before: an SMS advertising fake content – typically a voice message. Android and\r\niPhone users are receiving the texts in nearly equal doses this time, but Android users are still the primary target.\r\nFluBot spares no one\r\nIt all starts with an SMS advertising fake content behind a tainted link.\r\nCredit: Bitdefender\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 1 of 11\n\nCredit: kyberturvallisuuskeskus.fi\r\nCredit: Bitdefender\r\nIf users access the link, an installation prompt asks them for permission to install an unknown app – in this case, a\r\nfake Voicemail app purportedly required to listen to the voice message.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 2 of 11\n\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 3 of 11\n\nCredit: Bitdefender\r\nThe attackers’ main objective here is to get users to install the FluBot banking trojan with their own hands. If the\r\nvictim follows through with the instructions, the fake Voicemail app (FluBot) requests Accessibility permissions to\r\ngive itself full access to areas of interest on the phone.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 4 of 11\n\nCredit: Bitdefender\r\nIf granted access, FluBot collects the victim’s Contacts and uses the SMS app to continue spreading malicious\r\nlinks throughout the mobile ecosystem, all while stealing data and sending it to the C\u0026C server. It also uses its\r\nAccessibility privileges to make it hard for the user to uninstall the app.\r\n💡\r\nA typical banking Trojan, FluBot is designed to siphon credit card information and credentials, enabling\r\ncybercriminals to not just steal money, but also to raid victims’ various accounts. Here is a list of application\r\nicons that FluBot mimics.\r\nCredit: Bitdefender\r\nFluBot doesn’t run on iOS. But when iPhone owners access the infected links, they are redirected to phishing sites\r\nand subscription scams. In the example below, a typical survey scam unfolds. Victims are encouraged to answer a\r\nfew market research questions for a guaranteed iPhone 13.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 5 of 11\n\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 6 of 11\n\nCredit: Bitdefender\r\nMost of Europe targeted\r\nFollowing the Easter campaign unfolding in Romania, Bitdefender started monitoring FluBot activity more\r\nclosely across the Old Continent and noticed a considerable spike in April-May.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 7 of 11\n\nSpike in FluBot activity (Europe). Credit: Bitdefender\r\nThis coincides with reports not just from Romania, but from Finland as well. Fins are at their second major run-in\r\nwith FluBot in six months. Both campaigns have seen highly localized messages with decent wording, suggesting\r\nthat FluBot operators are investing more time and effort to expand their reach – in terms of both platform and\r\nlanguage.\r\nFinland spike in FluBot. Credit: Bitdefender\r\nThis time, most of Europe is targeted in a concerted effort from FluBot operators. The most targeted countries are\r\nGermany, Romania, UK, Poland, Spain, Sweden, Austria, Finland, and Denmark. Romania and Germany are by\r\nfar the most-targeted regions in this rejuvenated FluBot campaign, with a combined 69% share, as the chart below\r\nshows.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 8 of 11\n\nTop targeted regions. Credit: Bitdefender\r\nWhile multiple regions were hit around the same time, placing random pairs of countries side by side shows more\r\nclearly that attack peaks don’t actually coincide. This suggests that individual, localized campaigns were\r\nprogrammed from the start.\r\nFor example, detections started ramping up in Poland just as attacks were dwindling in Romania.\r\nFins and Swedes were targeted in a similar fashion, with detections in Sweden dwindling as the Finland campaign\r\nstarted ramping up.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 9 of 11\n\nBelgium and Spain offer more examples of this behavior.\r\nAll in all, FluBot operators seem to be concentrating on localizing smaller, individual campaigns on individual\r\ncountries.\r\nLikely not the last of FluBot we’ll see this year\r\nDespite arrests of multiple people suspected of operating the malware, FluBot campaigns have actually intensified\r\nin recent times, meaning there’s no reason not to expect more waves of attacks in the future. In fact, due to this\r\naggressive campaign, we could say FluBot is helping raise awareness about smishing as an attack avenue. At\r\nBitdefender, we are pushing on multiple fronts to raise awareness of this social engineering attack vector.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 10 of 11\n\nBecause FluBot activity is rising, Bitdefender highly recommends that users install a security solution capable of\r\ndetecting not just FluBot itself, but also any social engineering vector designed to deploy malware. Your security\r\napp must be able to nip the problem in the bud.\r\nWith the new Scam Alert feature, Bitdefender Mobile Security for Android thwarts smishing attacks before\r\nusers even interact with the malicious content.\r\nBitdefender Mobile Security for iOS also protects iPhone users against campaigns commanded by FluBot\r\noperators, steering them clear of any incoming phishing or fraudulent links.\r\nSource: https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/"
	],
	"report_names": [
		"new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike"
	],
	"threat_actors": [],
	"ts_created_at": 1775434186,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86b9c95e685187418a8f9abb7821ffcc2455a744.pdf",
		"text": "https://archive.orkl.eu/86b9c95e685187418a8f9abb7821ffcc2455a744.txt",
		"img": "https://archive.orkl.eu/86b9c95e685187418a8f9abb7821ffcc2455a744.jpg"
	}
}