{
	"id": "4de04474-ed26-428e-a0cf-f0f7c50ecc62",
	"created_at": "2026-04-06T00:21:37.427453Z",
	"updated_at": "2026-04-10T03:21:04.251342Z",
	"deleted_at": null,
	"sha1_hash": "b36c04900fb226c8522f2f46da0fcb60cfda22a7",
	"title": "Flubot: the evolution of a notorious Android Banking Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3735126,
	"plain_text": "Flubot: the evolution of a notorious Android Banking Malware\r\nBy Global Threat Intelligence\r\nPublished: 2022-06-29 · Archived: 2026-04-05 17:32:55 UTC\r\nAuthored by Alberto Segura (main author) and Rolf Govers (co-author)\r\nSummary\r\nFlubot is an Android based malware that has been distributed in the past 1.5 years in\r\nEurope, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims.\r\nLike the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services\r\nin order to steal the victim’s credentials, by detecting when the official banking application\r\nis open to show a fake web injection, a phishing website similar to the login form of the banking\r\napplication. An important part of the popularity of Flubot is due to the distribution\r\nstrategy used in its campaigns, since it has been using the infected devices to send\r\ntext messages, luring new victims into installing the malware from a fake website.\r\nIn this article we detail its development over time and recent developments regarding\r\nits disappearance, including new features and distribution campaigns.\r\nIntroduction\r\nOne of the most popular active Android banking malware families today. An “inspiration” for developers of other\r\nAndroid banking malware families. Of course we are talking about Flubot. Never heard of it? Let us give you a\r\nquick summary.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 1 of 25\n\nFlubot banking malware families are in the wild since at least the period between late 2020 and the first quarter of\r\n2022. Most of its popularity comes from its distribution method: smishing. Threat Actors (TA) have been using the\r\ninfected devices to send text messages to other phone numbers, stolen from other infected devices and stored in\r\nCommand-and-Control servers (C2).\r\nIn the initial campaigns, TAs used fake Fedex, DHL and Correos – a local Spanish parcel shipping company –\r\nSMS messages. Those SMS messages were fake notifications which lured the user into a fake website in order to\r\ndownload a mobile application to track the shipping. These campaigns were very successful, since nowadays most\r\npeople are used to buy different kinds of products online and receive that type of messages to track the shipping of\r\nthe product.\r\nFlubot is not only a very active family: TAs have been very actively introducing new features, support for\r\ncampaigns in new countries and improving the features it already had.\r\nOn June 1, 2022, Europol announced the takedown of Flubot in a joint operation including 11 countries. The\r\nDutch Police played a key part in this operation and successfully disrupted the infrastructure in May 2022,\r\nrendering this strain of malware inactive. That was interesting period of time to look back at the early days of\r\nFlubot, how it evolved and became so notorious.\r\nIn this post we want to share all we know about this threat and a timeline of the most relevant and interesting\r\n(new) features and changes that Flubot’s TAs have introduced. We will focus on these features and changes related\r\nto the detected samples but also in the different campaigns that TAs have been using to distribute this malware.\r\nThe beginning: A new Android Banking Malware targeting Spain [Flubot versions\r\n0.1-3.3]\r\nBased on reports from other researchers, Flubot samples were first found in the wild between November and\r\nDecember of 2020. Public information about this malware was first published on 6 January 2021 by our partner\r\nThreatFabric (https://twitter.com/ThreatFabric/status/1346807891152560131). Even though ThreatFabric was the\r\nfirst to publish public information on this new family and called it “Cabassous”, the research community has been\r\nmore commonly referring to this malware as Flubot.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 2 of 25\n\nIn the initial campaigns, Flubot was distributed using Fedex and Correos fake SMS messages. In those messages,\r\nthe user was led to a fake website which was basically a “landing page” style website to download what was\r\nsupposed to be an Android application to track the incoming shipping.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 3 of 25\n\nIn this initial campaign versions prior to Flubot 3.4 were used, and TAs were including support for new campaigns\r\nin other countries using specific samples for each country. The reasons why there were different samples for\r\ndifferent countries were:\r\n– Domain Generation Algorithm (DGA). It was using a different seed to generate 5.000 different domains per\r\nmonth. Just out of curiosity: For Germany, TAs were using 1945 as seed for the DGA.\r\n– Phone country code used to send more distribution smishing SMS messages from infected devices and block\r\nthose numbers in order to avoid communication among victims.\r\nThere were no significant changes related to features in the initial versions (from 0.1 to 3.3). TAs were mostly\r\nfocused on the distribution campaigns, trying to infect as many devices as possible.\r\nThere is one important change in the initial versions, but it is difficult to find the exact version in which this\r\nchange was first introduced because there are some version without samples on public repositories. TAs\r\nintroduced web injections to steal credentials, the most popular tactic to steal credentials on Android devices. This\r\nwas introduced starting between versions 0.1 and 0.5, in December 2020.\r\nIn those initial versions, TAs increased the version number of the malware in just a few days without adding\r\nsignificant changes. Most of the samples – particularly previous to 2.1 – were not uploaded to public malware\r\nrepositories, making it even harder to track the first versions of Flubot.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 4 of 25\n\nOn these initial versions (after 0.5), TAs also introduced other not so popular features like the “USSD” one which\r\nwas used to call to special numbers to earn money (“RUN_USSD” command), it was introduced at some point\r\nbetween versions 1.2 and 1.7. In fact, it seems this feature wasn’t really used by Flubot’s TAs. Most used features\r\nwere the web injections to steal banking and cryptocurrency platform credentials and sending SMS features to\r\ndistribute and infect new devices.\r\nFrom version 2.1 to 2.8 we observed TAs started to use a different packer for the actual Flubot’s payload. It could\r\nexplain why we weren’t able to find samples on public repositories between 2.1 and 2.8, probably there were\r\nsome “internal” versions\r\nused to try different packers and/or make it work with the new one.\r\nMarch 2021: New countries and improvements on distribution campaigns [Flubot\r\nversions 3.4-3.7]\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 5 of 25\n\nAfter a few months apparently focused on distribution campaigns and not really on new features for the malware\r\nitself, we have found version 3.4 in which TAs introduced some changes on the DGA code. In this version, they\r\nreduced the number of generated domains from 5.000 to 2.500 a month. At first sight this looks like a minor\r\nchange, but is one of the first changes to start distributing the malware in different countries in a more easy way\r\nfor TAs, since a different sample with different parameters was used for each country.\r\nIn fact, we can see a new version (3.6) customized for targeting victims in Germany in March 18, 2021. Only five\r\ndays later, another version was released (3.7), with interesting changes. TAs were trying to use the same sample\r\nfor campaigns in Spain and Germany, including Spanish and German phone country codes split by newline\r\ncharacter to block\r\nthe phone number to which the infected device is sending smishing messages.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 6 of 25\n\nAt the same time, TAs introduced a new campaign on Hungary. By the end of March, TAs introduced a new\r\nchange on version 3.7: an important change in their DGA, since they replaced “.com” TLD with “.su”. This\r\nchange was important for tracking Flubot, since now TAs could use this new TLD to register new C2’s domains.\r\nApril 2021: DoH and unique samples for all campaigns [Flubot versions 3.9-4.0]\r\nIt seems TAs were working since late March on a new version: Flubot 3.9. In this new version, they introduced\r\nDNS-over-HTTPs (DoH). This new feature was used to resolve domain names generated by the DGA. This way, it\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 7 of 25\n\nwas more difficult to detect infected devices in the network, since security solutions were not able to check\r\nwhich domains were being resolved.\r\nIn the following images we show decompiled code of this new version, including the new DoH code. TAs kept the\r\nold classic DNS resolving code. TAs introduced code to randomly choose if DoH or classic DNS should be used.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 8 of 25\n\nThe introduction of DoH was not the only feature that was added to Flubot 3.9. TAs also added some UI messages\r\nto prepare future campaigns targeting Italy.\r\nThose messages were used a few days later in the new Flubot 4.0 version, in which TAs finally started to use one\r\nsingle sample for all of the campaigns – no more unique samples to targeted different countries.\r\nWith this new version, the targeted country’s parameters used on previous version of Flubot were chosen\r\ndepending on the victim’s device language. This way, if the device language was Spanish, then Spanish\r\nparameters were used. The following parameters were chosen:\r\n– DGA seed\r\n– Phone country codes used for smishing and phone number blocking\r\nMay 2021: Time for infrastructure and C2 server improvements [Flubot versions\r\n4.1-4.3]\r\nMay starts with a minor update on version 4.0 – a change the DoH servers used to resolve DGA domains. Now\r\ninstead of using CloudFlare’s servers they started using Google’s servers. This was the first step to move to a new\r\nversion, Flubot 4.1.\r\nIn this new version, TAs have changed one more time the DoH servers used to resolve the C2 domains. In this\r\ncase, they introduced three different services or DNS servers: Google, CloudFlare and AliDNS. The last one was\r\nused for the first time in the life of Flubot to resolve the DGA domains.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 9 of 25\n\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 10 of 25\n\nThose three different DoH services or servers were chosen randomly to resolve the generated domains, to finally\r\nmake the requests to any of the active C2 servers.\r\nThese changes also brought a new campaign in Belgium, in which TAs used fake BPost app and smishing\r\nmessages to lure new victims. One week later, new campaigns in Turkey were also introduced, this time in a new\r\nFlubot version with important changes related to its C2 protocol.\r\nThe first samples of Flubot 4.2 appeared on 17 May 2021 with a few important changes in the code used to\r\ncommunicate with the C2 servers. In this version, the malware was sending HTTP requests with a new path in the\r\nC2: “p.php”, instead of the classic “poll.php” path.\r\nAt first sight it seemed like a minor change, but paying attention to the code we realized there was an important\r\nreason behind this change: TAs changed the encryption method used for the protocol to communicate with the C2\r\nservers.\r\nPrevious versions of Flubot were using simple XOR encryption to encrypt the information exchanged with the C2\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 11 of 25\n\nservers, but this new version 4.2 was using\r\nRC4 encryption to encrypt that information instead of the classic XOR. This way, the C2 server still supported old\r\nversions and new version at the same time:\r\npoll.php and poll2.php were used to send/receive requests using the old XOR encryption\r\np.php was used to send and receive requests using the new RC4 encryption\r\nBesides the new protocol encryption on version 4.2, TAs also added at the end of May support for new campaigns\r\nin Romania.\r\nFinally, on 28 May 2021 new samples of Flubot 4.3 were discovered with minor changes, mainly focused on the\r\nstrings obfuscation implemented by the malware.\r\nJune 2021: VoiceMail. New campaign new countries [Flubot versions 4.4-4.6]\r\nA few days after first samples of Flubot 4.3 were discovered – on May 31, 2021 and June 1, 2021 – new samples\r\nof Flubot were observed with version number bumped to 4.4.\r\nOne more time, no major changes in this new version. TAs added support for campaigns in Portugal. As we can\r\nsee with versions 4.3 and 4.4, it was common for Flubot’s TAs to bump the version number in just a few days,\r\nwith just minor changes. Some versions were not even found in public repositories (e.g. version 3.3), which\r\nsuggests that some versions were never used in public or just skipped and TAs just bumped the version. Maybe\r\nthose “lost versions” lasted just a few hours in the distribution servers and were quickly updated to fix bugs.\r\nIn the month of June the TAs hardly made any changes related to features, but instead they were working on new\r\ndistribution campaigns.\r\nOn version 4.5, TAs added Slovakia, Czech Republic, Greece and Bulgaria to the list of supported countries for\r\nfuture campaigns. TAs reused the same DGA seed for all of them, so it didn’t require too much work from their\r\npart to get this version released.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 12 of 25\n\nA few days after version 4.5 was observed, a new version 4.6 was discovered with new countries added for future\r\ncampaigns: Austria and Switzerland. Also, some countries that were removed in previous versions were\r\nreintroduced: Sweden, Poland, Hungary, and The Netherlands.\r\nThis new version of Flubot didn’t come only with more country coverage. TAs introduced a new distribution\r\ncampaign lure: VoiceMail. In this new “VoiceMail” campaign, infected devices were used to send text messages to\r\nnew potential victims using messages in which the user was lead to a fake website. This time a “VoiceMail” app\r\nwas installed, which should allow the user to listen to the received Voice mail messages. In the following image\r\nwe can see the VoiceMail campaign for Spanish users.\r\nJuly 2021: TAs Holidays [Flubot versions 4.7]\r\nJuly 2021 is the month with less activity. In this month, only one version update was observed at the very\r\nbeginning of the month – Flubot 4.7. This new version came without the usage of different DGA seeds by country\r\nor device language. TAs started to randomly choose the seed from a list of seeds, which were the same seeds that\r\nwere previously used for country or device language.\r\nBesides the changes related to the DGA seeds, TAs also introduced support for campaigns in new countries:\r\nSerbia, Croatia and Bosnia and Herzegovina.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 13 of 25\n\nThere was almost no Flubot activity in summer. Our assumption is the developers were busy with their summer\r\nholidays. As we will see in the following section, TAs will recover their activity in August and October.\r\nAugust-September 2021: Slow come back from Holidays [Flubot versions 4.7-4.9]\r\nDuring the first days of August, after TAs possibly enjoyed a nice holiday season, Australia was added to version\r\n4.7 in order to start distribution campaigns in that country.\r\nOnly a week later, TAs released the new version 4.8, in which we found some minor changes mostly related to UI\r\nmessages and alert dialogs.\r\nOne more version bump for Flubot was discovered on September, when version 4.9 came out with some more\r\nminor changes, just like the previous version 4.8. This time, new web injections were introduced in the C2 servers\r\nto steal credentials from victims. Those two new versions with minor changes (not very relevant) seems like a\r\nrelaxed come back to activity. From our point of view, the most interesting thing that happened in those two\r\nmonths is that TAs started to distribute another malware family using the Flubot botnet. We received from C2\r\nservers a few smishing tasks in which the fake “VoiceMail” website was serving Teabot (also known as Anatsa\r\nand Toddler) instead of Flubot.\r\nThat was very interesting because it showed that Flubot’s TAs could be also associated with this malware family\r\nor at least could be interested on selling the botnet for smishing purposes to other malware developers. As we will\r\nsee, that was not the only family distributed by Flubot.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 14 of 25\n\nOctober-November 2021: ‘Android Security Update’ campaign and new big\r\nprotocol changes [Flubot versions 4.9]\r\nDuring October and most part of November, Flubot’s TAs didn’t bump the version number of the malware and\r\nthey didn’t do very important moves during that period of time.\r\nAt the beginning of October, we saw a campaign different from the previous DHL / Correos / Fedex campaigns or\r\nthe “VoiceMail” campaign. This time, TAs started to distribute Flubot as a fake security update for Android.\r\nIt seems this new distribution campaign wasn’t working as expected, since TAs kept using the “VoiceMail”\r\ndistribution campaign after a few days.\r\nTAs were very quiet until late November, when they finally released new samples with important changes in the\r\nprotocol used to communicate with C2 servers. After bumping the version numbers so quickly at the beginning,\r\nnow TAs weren’t bumping the version number\r\neven with a major change like this one.\r\nThis protocol change allowed the malware to communicate with the C2 servers without starting a direct\r\nconnection with them. Flubot used TXT DNS requests to common public DNS servers (Google, CloudFlare and\r\nAliDNS). Then, those requests were forwarded to the actual C2 servers (which implemented DNS servers) to get\r\nthe TXT record response from the servers and forward it to the malware. The stolen information from the infected\r\ndevice was sent encrypting it using RC4 (in a very similar way to the used in the previous protocol version) and\r\nencoding the encrypted bytes. This way, the encoded payload was used as a subdomain of the DGA generated\r\ndomain. The response from C2 servers was also encrypted and encoded as the TXT record response to the TXT\r\nrequest, and it included the commands to execute smishing tasks for distribution campaign or the web injections\r\nused to steal credentials.\r\nWith this new protocol, Flubot was using DoH servers from well known companies such as Google and\r\nCloudFlare to establish a tunnel of sorts with the C2 servers. With this technique, detecting the malware via\r\nnetwork traffic monitoring was very difficult, since the malware wasn’t establishing connections with unknown or\r\nmalicious servers directly. Also, since it was using DoH, all the DNS requests were encrypted, so network traffic\r\nmonitoring couldn’t identify those malicious DNS requests.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 15 of 25\n\nThis major change in the protocol with the C2 servers could also explain the low activity in the previous months.\r\nPossibly developers were working on ways to improve the protocol as well as the code of both malware and C2\r\nservers backend.\r\nDecember 2021: ‘Flash Player’ campaign and DGA changes [Flubot versions 5.0-\r\n5.1]\r\nFinally, in December the TAs decided to finally bump the version number to 5.0. This new version brought a\r\nminor but interesting change: Flubot can now receive URLs in addition to web injections HTML and JavaScript\r\ncode. Before version 5.0, C2 servers would send the web injection code, which was saved on the device for future\r\nuse when the victim opened one of the targeted applications in order to steal the credentials. Since version 5.0, C2\r\nservers were sending URLs instead, so Flubot’s malware had to visit the URL and save the HTML and JavaScript\r\nsource code in memory for future use.\r\nNo more new versions or changes were observed until the end of December, when the TAs wanted to say goodbye\r\nto the 2021 by releasing Flubot 5.1. The first samples of Flubot 5.1 were detected on December 31. As we will see\r\nin the following section, on January 2 Flubot 5.2 samples came out. Version 5.1 came out with some important\r\nchanges on DGA. This time, TAs introduced a big list of TLDs to generate new domains, while they also\r\nintroduced a new command used to receive a new DGA seed from the C2 servers – UPDATE_ALT_SEED. Based\r\non our research, this new command was never used, since all the newly infected devices had to connect to the C2\r\nservers using the domains generated with the hard-coded seeds.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 16 of 25\n\nBesides the new changes and features added in December, TAs also introduced a new campaign: “Flash Player”.\r\nThis campaign was used alongside with “VoiceMail” campaign, which still was the most used to distribute Flubot.\r\nIn this new campaign, a text message was sent to the victims from infected devices trying to make them install a\r\n“Flash Player” application in order to watch a fake video in which the victim appeared. The following image\r\nshows how simple the distribution website was, shown when the victim opens the link.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 17 of 25\n\nJanuary 2022: Improvements in Smishing features and new ‘Direct Reply’ features\r\n[Flubot versions 5.2-5.4]\r\nAt the very beginning of January new samples for the new version of Flubot were detected. This time, version 5.2\r\nintroduced minor changes in which TAs added support for longer text messages on smishing tasks. They stopped\r\nusing the usual Android’s “sendTextMessage” function and started to use “sendMultipartTextMessage” alongside\r\n“divideMessage” instead. This allowed them to use longer messages, split into multiple messages.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 18 of 25\n\nA few days after new sample of version 5.2 was discovered, samples of version 5.3 were detected. In this case, no\r\nnew features were introduced. TAs removed some unused old code. This version seemed like a version used to\r\nclean the code. Also, three days after the first samples of Flubot 5.3 appeared, new samples of this version were\r\ndetected with support for campaigns in new countries: Japan, Hong Kong, South Korea, Singapore and Thailand.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 19 of 25\n\nBy the end of January, TAs released a new version: Flubot 5.4. This new version introduced a new and interesting\r\nfeature: Direct Reply. The malware was now capable to intercept the notifications received in the infected device\r\nand automatically reply them with a configured message received from the C2 servers.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 20 of 25\n\nTo get the message that would be used to reply notifications, Flubot 5.4 introduces a new request command called\r\n“GET_NOTIF_MSG”. As the following image shows, this request command is used to get the message to finally\r\nbe used when a new notification is received.\r\nEven though this was an interesting new feature to improve the botnet’s distribution power, it didn’t last too long.\r\nIt was removed in the following version.\r\nIn the same month we detected Medusa, another Android banking malware, distributed in some Flubot smishing\r\ntasks. This means that, one more time, Flubot botnet was being used as a distribution botnet for distribution of\r\nanother malware family. In August 2021 it was used to distribute Teabot. Now, it has been used to distribute\r\nMedusa.\r\nIf we try to connect the dots, it could explain the new “Direct Reply” feature and the usage of “multipart\r\nmessages”. Those improvements could have been introduced due to suggestions made by Medusa’s TAs in order\r\nto use Flubot botnet as distribution service.\r\nFebruary-March-April 2022: New cookie stealing features [Flubot versions 5.5]\r\nFrom late January – when we fist observed version 5.4 in the wild – to late February, almost one month passed\r\nuntil a new version was released. We believe this case is similar to previous periods of time, like August-November 2021, when TAs used that time to introduce a big change in the protocol. This time, it seems TAs were\r\nquietly working on new Flubot 5.5, which came with a very interesting feature: Cookie stealing.\r\nThe first thing we realized by looking at the new code was a little change when requesting the list of targeted apps.\r\nThis request must include the list of installed applications in the infected device. As a result, the C2 server would\r\nprovide the subset of apps which are targeted. In this new version, “.new” was appended to the package names of\r\ninstalled apps when doing the “GET_INJECTS_LIST” request.\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 21 of 25\n\nAt the beginning, the C2 servers were responding with URLs to fetch the web injections for credentials stealing\r\nwhen using “.new” appended to the package’s name.\r\nAfter some time, C2 servers started to respond with the official URL of the banks and crypto-currency platforms,\r\nwhich seemed strange. After analysis of the code, we realized they also introduced code to steal the cookies from\r\nthe WebView used to show web injections – in this case, the targeted entity’s website. Clicks and text changes in\r\nthe different UI elements of the website were also logged and sent to the C2 server, so TAs were not only stealing\r\ncookies: they were also able to steal credentials via “keylogging”.\r\nThe cookies stealing code could receive an URL, the same way it could receive a URL to fetch web injections, but\r\nthis time visiting the URL it wasn’t receiving the web injection. Instead, it was receiving a new URL (the official\r\nbank or service URL) to be loaded and to steal the credentials from. In the following image, the response from a\r\ncompromised website used to download the web injections is shown. In this case, it was used to get the payload\r\nfor stealing GMail’s cookies (shown when the victim tries to open Android Email application).\r\nAfter the victim logs in to the legitimate website, Flubot will receive and handle an event when the website ends\r\nloading. At this time, it gets the cookies and sends them to the C2 server, as can be seen in the following image.\r\nMay 2022: MMS smishing and.. The End? [Flubot versions 5.6]\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 22 of 25\n\nOnce again, after one month without new versions in the wild, a new version of Flubot came out at the beginning\r\nof May: Flubot 5.6. This is the last known Flubot version.\r\nThis new version came with a new interesting feature: MMS smishing tasks. With this new feature, TAs were\r\ntrying to bypass carriers detections, which were probably put in place after more than a year of activity. A lot of\r\nusers were infected and their devices where sending text messages without their knowledge.\r\nTo introduce this new feature, TAs added new request’s commands:\r\n– GET_MMS: used to get the phone number and the text message to send (similar to the usual GET_SMS used\r\nbefore for smishing)\r\n– MMS_RATE: used to get the time rate to make “GET_MMS” request and send the message (similar to the usual\r\nSMS_RATE used before for smishing).\r\nAfter this version got released on May 1st, the C2 servers stopped working on May 21st. They were offline until\r\nMay 25th, but they were still not working properly, since they were replying with empty responses. Finally, on\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 23 of 25\n\nJune 1st, Europol published on their website that they took down the Flubot’s infrastructure with the cooperation\r\nof police from different countries. Dutch Police was the one that took down the infrastructure. It probably\r\nhappened because Flubot C2 servers, at some point in 2022, changed the hosting services to a hosting service in\r\nThe Netherlands, making it easier to take down.\r\nDoes it mean this is the end of Flubot? Well, we can’t know for sure, but it seems police wasn’t able to get the\r\nRSA private keys since they didn’t make the C2 servers send commands to detect and remove the malware from\r\nthe devices.\r\nThis means that the TAs should be able to bring Flubot back by just registering new domains and setting up all the\r\ninfrastructure in a “safer” country and hosting service. TAs could recover their botnet, with less infected devices\r\ndue to the offline time, but still with some devices to continue sending smishing messages to infect new devices. It\r\ndepends on the TAs intentions, since it seems that the police hasn’t found them yet.\r\nConclusion\r\nFlubot has been one of the most – if not the most – active banking malware family of the last few years. Probably\r\nthis was due to their powerful distribution strategy: smishing. This malware has been using the infected devices to\r\nsend text messages to the phone numbers which were stolen from the victims smartphones. But this, in\r\ncombination with fake parcel shipping messages in a period of time in which everybody is used to buy things\r\nonline has made it an important threat.\r\nAs we have seen in this post, TAs have introduced new features very frequently, which made Flubot even more\r\ndangerous and contagious. A significant part of the updates and new features have been introduced to improve the\r\ndistribution capabilities of the malware in different countries, while others have been introduced to improve the\r\ncredentials and information stealing capabilities.\r\nSome updates delivered major changes in the protocol, making it more difficult to detect via network monitoring,\r\nwith a DoH tunnel-based protocol which is really uncommon in the world of Android Malware. It seems that TAs\r\nhave even been interested on selling some kind of “smishing distribution” service to other TAs, as we have seen\r\nwith the association with Teabot and Medusa.\r\nAfter one year and a half, Dutch Police was able to take down the C2 servers after TAs started using a Dutch\r\nhosting service. It seems to be the end of Flubot, at least for now.\r\nTAs still can move the infrastructure back to a “safer” hosting and register new DGA domains to recover their\r\nbotnet. It’s too soon to determine that was the end of Flubot. Time will tell what will happen with this Android\r\nmalware family, which has been one of the most important and interesting malware families in the last few years.\r\nList of samples by version\r\n0.1 – 5e0311fb1d8dda6b5da28fa3348f108ffa403f3a3cf5a28fc38b12f3cab680a0\r\n0.5 – d3af7d46d491ae625f66451258def5548ee2232d116f77757434dd41f28bac69\r\n1.2 – c322a23ff73d843a725174ad064c53c6d053b6788c8f441bbd42033f8bb9290c\r\n1.7 – 75c2d4abecf1cc95ca8aeb820e65da7a286c8ed9423630498a95137d875dfd28\r\n1.9 – 9420060391323c49217ce5d40c23d3b6de08e277bcf7980afd1ee3ce17733da2\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 24 of 25\n\n2.1 – 13013d2f96c10b83d79c5b4ecb433e09dbb4f429f6d868d448a257175802f0e9\r\n2.2 – 318e4d4421ce1470da7a23ece3db5e6e4fe9532e07751fc20b1e35d7d7a88ec7\r\n2.8 – f3257b1f0b2ed1d67dfa1e364c4adc488b026ca61c9d9e0530510d73bd1cf77e\r\n3.1 – affaf5f9ba5ea974c605f09a0dd7776d549e5fec2f946057000abe9aae1b3ce1\r\n3.2 – 865aaf13902b312a18abc035f876ad3dfedce5750dba1f2cc72aabd68d6d1c8f\r\n3.4 – ca18a3331632440e9b86ea06513923b48c3d96bc083310229b8c5a0b96e03421\r\n3.5 – 43a2052b87100cf04e67c3c8c400fa203e0e8f08381929c935cff2d1f80f0729\r\n3.6 – fd5f7648d03eec06c447c1c562486df10520b93ad7c9b82fb02bd24b6e1ec98a\r\n3.7 – 1adba4f7a2c9379a653897486e52123d7c83807e0e7e987935441a19eac4ce2c\r\n3.9 – 1cf5c409811bafdc4055435a4a36a6927d0ae0370d5197fcd951b6f347a14326\r\n4.0 – 8e2bd71e4783c80a523317afb02d26cac808179c57834c5c599d976755b1dabd\r\n4.1 – ec3c35f17e539fe617ca2e73da4a51dc8efedda94fd1f8b50a5b77d63e58ba5c\r\n4.2 – 368cebac47e36c81fb2f1d8292c6c89ccb10e3203c5927673ce05ba29562f19c\r\n4.3 – dab4ce5fbb1721f24bbb9909bb59dcc33432ccf259ee2d3a1285f47af478416d\r\n4.4 – 6a03efa4ffa38032edfb5b604672e8c9e01a324f8857b5848e8160593dfb325e\r\n4.5 – f899993c6109753d734b4faaf78630dc95de7ea3db78efa878da7fbfc4aee7cd\r\n4.6 – ffaebdbc8c2ecd63f9b97781bb16edc62b2e91b5c69e56e675f6fbba2d792924\r\n4.7 – a0dd408a893f4bc175f442b9050d2c328a46ff72963e007266d10d26a204f5af\r\n4.8 – a0181864eed9294cac0d278fa0eadabe68b3adb333eeb2e26cc082836f82489d\r\n4.9 – 831334e1e49ec7a25375562688543ee75b2b3cc7352afc019856342def52476b\r\n4.9 – 8c9d7345935d46c1602936934b600bb55fa6127cbdefd343ad5ebf03114dbe45 (DoH tunnel protocol)\r\n5.0 – 08d8dd235769dc19fb062299d749e4a91b19ef5ec532b3ce5d2d3edcc7667799\r\n5.1 – ff2d59e8a0f9999738c83925548817634f8ac49ec8febb20cfd9e4ce0bf8a1e3\r\n5.2 – 4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c\r\n5.3 – e9ff37663a8c6b4cf824fa65a018c739a0a640a2b394954a25686927f69a0dd4\r\n5.4 – df98a8b9f15f4c70505d7c8e0c74b12ea708c084fbbffd5c38424481ae37976f\r\n5.5 – 78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25\r\n5.6 – 16427dc764ddd03c890ccafa61121597ef663cba3e3a58fc6904daf644467a7c\r\nSource: https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nhttps://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/\r\nPage 25 of 25\n\n https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/      \nAt the same time, TAs introduced a new campaign on Hungary. By the end of March, TAs introduced a new\nchange on version 3.7: an important change in their DGA, since they replaced “.com” TLD with “.su”. This\nchange was important for tracking Flubot, since now TAs could use this new TLD to register new C2’s domains.\nApril 2021: DoH and unique samples for all campaigns  [Flubot versions  3.9-4.0]\nIt seems TAs were working since late March on a new version: Flubot 3.9. In this new version, they introduced\nDNS-over-HTTPs (DoH). This new feature was used to resolve domain names generated by the DGA. This way, it\n   Page 7 of 25    \n\n https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/      \nBy the end of January, TAs released a new version: Flubot 5.4. This new version introduced a new and interesting\nfeature: Direct Reply. The malware was now capable to intercept the notifications received in the infected device\nand automatically reply them with a configured message received from the C2 servers.  \n   Page 20 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/"
	],
	"report_names": [
		"flubot-the-evolution-of-a-notorious-android-banking-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434897,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b36c04900fb226c8522f2f46da0fcb60cfda22a7.pdf",
		"text": "https://archive.orkl.eu/b36c04900fb226c8522f2f46da0fcb60cfda22a7.txt",
		"img": "https://archive.orkl.eu/b36c04900fb226c8522f2f46da0fcb60cfda22a7.jpg"
	}
}