{
	"id": "38cf478b-16cd-41c4-9ab7-de77e6e0e461",
	"created_at": "2026-04-06T00:12:22.2697Z",
	"updated_at": "2026-04-10T03:24:39.803168Z",
	"deleted_at": null,
	"sha1_hash": "c0c3d12fd60bc15f1c4693fe71fb9bd8420485d3",
	"title": "Flubot’s Smishing Campaigns under the Microscope",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64826,
	"plain_text": "Flubot’s Smishing Campaigns under the Microscope\r\nBy Deutsche Telekom AG\r\nPublished: 2021-09-14 · Archived: 2026-04-05 16:43:03 UTC\r\nOur lives cannot be imagined without mobile phones. They know all our secrets and we use them to accomplish\r\ntasks like online banking or cryptocurrency trading. Most of them run the Android operating system resulting in\r\nbillions of Android installations worldwide. Given Android’s ubiquity and the kind of sensitive data Android\r\ndevices handle, cybercriminals routinely target them for financial gain.\r\nFlubot is so successful for a reason - unfortunately. © iStock\r\nOne of the tools such attackers utilize is Flubot, which is a botnet primarily targeting Android mobile phones. Its\r\nfirst appearance was in late 2020. Flubot comprises information stealing capabilities (exfiltrate contact list, SMS\r\nexfiltration), spamming capabilities (sending of smishing SMS), and application manipulation capabilities\r\n(injecting HTML code in banking and cryptocurrency apps). \r\nThis botnet spreads by sending SMS like “Notification: (1) new voice message: LINK”, where LINK redirects the\r\ntarget to a lure server serving a website that convinces the target to install a third-party APK. This behavior is\r\nknown as smishing, an artificial word derived from “SMS” and “Phishing”. An infected device exfiltrates its\r\ncontact list to the command and control server, which commands it to try to infect hundreds or even thousands of\r\nother devices each day. Hence, the name “Flubot” as this botnet spreads like the flu. Since its inception in late\r\n2020, this botnet has become a serious threat to end users and an annoying problem for carriers around the world. \r\nTelekom Security has detected thousands of Flubot infections of Deutsche Telekom’s clients throughout 2021.\r\nEach infected client is notified and offered assistance during the cleaning process. The following figure shows the\r\namount of unique infections per day from May 2021 until September 2021. Note that the population of infections\r\nheavily fluctuates due to continued effort to notify our clients and consequently by them removing the malware\r\nfrom their devices. The plot shows a period during June and July where less infections were detected. This is a\r\ntypical seasonal fluctuation also known as “the threat actor’s summer break”. As of September 2021, we are\r\nnoticing how the botnet activity is increasing and the current infection level is converging against a level we\r\nnoticed in May 2021.\r\nFigure 1 Unique Flubot infections per day of Deutsche Telekom customers © DTAG\r\nFurthermore, the Flubot operators keep on working to maintain this status quo. They keep changing their smishing\r\nSMS templates every couple of hours and change the links in these SMS every couple of minutes. In addition,\r\nthey use mechanisms to circumvent simple SMS content filter engines. After several weeks, they usually switch\r\nthe theme of their campaigns, e.g. from voicemail to parcel services as observed in the last week of August 2021.\r\nAnd notably they implement a mechanism to shut out security researchers who are running bot emulations from\r\ntheir botnet: they verify if new bots can send out SMS!\r\nhttps://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368\r\nPage 1 of 8\n\nIn this blog post, we’ll see how the smishing SMS work, how Flubot utilizes social engineering to convince\r\ntargets to install APKs, discuss the payloads that Flubot recently has distributed (i.e. Flubot and Teabot), and show\r\nhow the operators verify new bots. The goal of this blog post is to give the reader a detailed insight in how\r\nFlubot’s smishing campaigns work from end to end. It will not reiterate on the capabilities of the malware itself as\r\nthere are already very detailed write-ups by Incibe CERT, SWITCH, and ProDaft. \r\nIn our Github repository, we share hashes of Flubot and Teabot payloads, YARA rules to hunt for the\r\naforementioned malware families, as well as further analysis scripts. \r\nIt just starts with one SMS …\r\nIn general, the operators of a botnet (also known as botmasters) face at least two issues when running a botnet.\r\nFirst, users detect infections and clean up devices. This results in a loss of bots. Second, botmasters fully squeeze\r\nout bots by, for instance, steal all credentials, conduct wire fraud, etc. This is an indirect loss since it turns a\r\nvaluable bot into a worthless bot. The solution to both problems is to acquire new bots. \r\nThe Flubot operators go to great lengths to acquire new bots: they are capable of circumventing carrier SMS\r\ncontent filters to increase the spreading probability as well as keep out security researchers from the botnet to\r\nminimize the scrutiny of their botnet.\r\nThe basis for this heavy SMS spamming are the contact lists of Flubot victims that the malware exfiltrates to the\r\ncommand and control server. The command and control server regularly sends bots the command\r\n“GET_CONTACTS”. Bots respond with all names and phone numbers of their contact list. In one case, we could\r\ndetermine that the time from contact exfiltration to the first smishing SMS is only a couple of hours. We utilized a\r\nphone number that was previously not known to the botnet. This example shows how fast the spamming\r\nmachinery of Flubot is spinning.\r\nFlubot’s spreading just starts with just one innocently looking SMS that a target receives and which was typically\r\nsent by someone not known to the target. Such an SMS comprises an information (e.g. missed call) and a link to\r\nfollow. The SMS texts changed their theme a couple of times throughout the last months. In August 2021, they\r\nmatched a voicemail theme by resembling messages that network carriers send on missed calls. This changed in\r\nSeptember 2021 when SMS texts started to abuse the DHL brand. Further changes of Flubot’s SMS themes are to\r\nbe expected as its operators have an history of abusing various brands such as FedEx and Correos (the Spanish\r\npostal service) in the past.\r\nThe next figure illustrates such a smishing SMS as received by the target. The SMS text starts with random letters\r\nand numbers, which is a way to circumvent carrier SMS content filters. This is followed by a text notifying the\r\ntarget that they missed a call, and a suspicious link they should click on to listen to a voicemail. Links in these\r\nSMS fluctuate very often, which is another way of not getting blocked by SMS carriers. Each link is personalized.\r\nFor instance, the parameter “5bb0bxt93” of the “r.php” script is likely utilized to track campaign success.  \r\nFigure 2 Flubot smishing SMS telling a target about a missed called, followed by a suspicious link\r\nto click on © DTAG\r\nhttps://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368\r\nPage 2 of 8\n\nAn important piece of Flubot’s success is how it avoids carrier SMS content filters:\r\n-    (1) First, the operators have access to hundreds of hacked websites that they utilize as redirects. These hacked\r\nwebsites in their smishing SMS rotate around every ten minutes. \r\n-    (2) Second, they add random letters as prefix or postfix to their smishing SMS. \r\n-    (3) Third, they flip one or more letters in their smishing SMS. This may circumvent SMS content filters as it\r\nproduces different messages but the messages are still readable by human beings. For instance, the word “Call” in\r\n“Missed Call” is changed to “Coll” as in “Missed Coll”. \r\n-    (4) Fourth, they change the capitalization of one or more words in their messages. For instance, the word\r\n“demain” (French: tomorrow) will be capitalized to “DEMAIN”. \r\nThe following table illustrates these three circumvention mechanism with several example smishing SMS.\r\nCountry SMS Method\r\nAustralia\r\nNew voice-message jecoived:\r\nhxxp://fyqz[.vip/m.php?REDACTED\r\n(1), (3)\r\nAustralia\r\n(!) New voice message rzcegved:\r\nhxxp://tantawy-group[.com/z.php?REDACTED\r\n(1), (3)\r\nThe Netherlands\r\n8hd9 Inkomende voice oproep: \r\nhxxps://sachizi[.com/r.php?REDACTED\r\n \r\n(1), (2)\r\nAustria\r\nEingehender Anruf: \r\nhxxps://www.internationalsengroup[.org/jcqsx9.php?\r\nREDACTED unqm\r\n \r\n(1), (2)\r\nItaly\r\nNotifdca: (1) nuovo messaggic vocale:\r\nhxxps://bitcoinsociety.passionland[.vn/c.php?\r\nREDACTED 7jbl6qc\r\n(1), (2), (3)\r\nGermany\r\n(sent to the Netherlands)\r\nU heeft 1 nieuwe voicemail. Ga naar\r\nhxxps://ospreymine[.co/k.php?REDACTED\r\n(1)\r\nhttps://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368\r\nPage 3 of 8\n\nBelgium\r\nVotre commande sera LIVREE par DHL DEMAIN entre\r\n11h26 et 14h26. Suivre le progres\r\nhxxps://bodrumenduro[.com/f.php?REDACTED\r\n(1), (4)\r\nThe botmasters sometimes utilize Flubot infections of neighboring countries to boost the spreading of Flubot in\r\ncountries where not yet a strong bot base is established. For instance, Telekom Security observed how German\r\nFlubot infections sent SMS with Dutch texts to Dutch phone numbers as well as Polish texts to Polish phone\r\nnumbers in late August 2021. This is in line with Flubot’s extension into these two countries around that time. As a\r\nrule of thumb, Telekom Security is observing that roughly ten percent of Flubot’s SMS traffic is sent to foreign\r\ndestination phone numbers.\r\nThe spreading of Flubot may cause severe financial damages for Flubot victims as well as network carriers.\r\nInfected devices may send a SMS message every couple of minutes, which may add up to significant amounts\r\nafter some days. Especially if SMS messages are sent across borders, which is a typical tactic to boost the initial\r\nspreading rate in a new country. The bot queries the rate at which it should send SMS with the command\r\nSMS_RATE (see table of relevant commands). We observed values from 4 minutes up to 60 minutes. This value\r\ndepends on the current spreading status of the botnet in a specific country. For instance, when the Flubot operators\r\nstart to spread Flubot in a country, they set the SMS_RATE typically very low (less than 5 minutes). As of\r\nSeptember 2021, Telekom Security observes a daily average of 1000 SMS per day per infected client. However,\r\nthere are some extreme cases of up to 3000 SMS per day.\r\nCommand Description\r\nGET_SMS\r\nQuery the command and control server for\r\nsmishing task, consisting of a telephone number\r\nand a SMS text\r\nSMS_RATE\r\nQuery the command and control server for the\r\ndelay time when sending mass SMS\r\nLOG\r\nResponse of the bot to log data to the command\r\nand control server. The subcommand LOG, SMS\r\nlogs individual SMS.\r\nGET_CONTACTS\r\nAsks the bot to exfiltrate all names and phone\r\nnumbers of the victim’s contact list.\r\nhttps://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368\r\nPage 4 of 8\n\nSocial Engineering with Lures\r\nThe links of the smishing SMS forward targets to a lure server. The following figures show a generated website\r\nusing the Voicemail theme that was presented to targets in August 2021 and a website using a DHL brand abuse\r\nthat was presented to targets in September 2021. The lure is generated per target as it shows the real phone number\r\n(“Your phone number”) to increase credibility and hence the probability for the target to fall for this scam. A\r\nmessage instructs the target to download a third-party application by clicking a download button. As of September\r\n2021, these downloads are either Flubot or in some cases Teabot. The secondary payload is often distributed\r\nthrough on another (hacked) server as a proxy.\r\nThe lure servers are just hacked WordPress instances. The Flubot gang has access to a considerable amount of\r\nhacked websites that they utilize in their smishing SMS campaigns. Blocking the domains of these websites is not\r\nfeasible as they may change as often as every ten minutes. Additionally, these are legit blogs that may be cleaned\r\nup in the future, which would require a timely unblocking. Telekom Security verified in more than 300 cases that\r\nthe hacked websites were WordPress blogs. Furthermore, it seems that these domains are not shared across their\r\ngeographical campaigns, i.e. the sets of domains per country they operate in are likely to be disjoint. \r\nThe lure servers host a heavily obfuscated PHP file (e.g. called “[a-z].php”). Its main task is to contact another\r\nserver of the Flubot infrastructure, generate the lure, and forward the target to the payload APK once they’ve\r\npressed the download button. As stated in the previous section, there is a personalized ID in the links:\r\nhxxps://some-url[.com/k.php?PERSONALIZED_ID. On the one side, this personalized ID serves as a way to\r\nshow the correct phone number of the target in the lure website. On the other side, it likely serves to track\r\ncampaign success. The download is proxied through another server.\r\nFigure 3 Lure website with Voicemail theme presented to targets in August 2021. © DTAG\r\nFigure 4 Lure website with DHL brand abuse as presented to targets in September 2021\r\nOverview of the Payload Distribution\r\nAs of September 2021, Telekom Security has observed how Flubot distributed two different malware families:\r\nFlubot itself in most of the cases and sometimes Teabot (also known as Toddler or Anatsa), another Android\r\nbanking Trojan.\r\nThe names of the distributed APKs – be it Flubot or Teabot – consistently follow the same pattern for several\r\nweeks. Most time of August 2021 the distributed APKs had a Voicemail theme, which was in line with the\r\nsmishing SMS the victims received (e.g. “Notification: (1) new voice message:” as observed on 2021-08-24 in\r\nIreland). Each APK was called “Voicemail{SMALL_INTEGER}.apk”, where SMALL_INTEGER was in the\r\nrange of 1 to 100 typically. In late August 2021, Telekom Security observed another shift in the lure theme. They\r\nshifted back to the parcel theme (e.g. “Visit LINK to manage your delivery. Your order ORDER_NUMBER will\r\nBE delivered SOON.”), which they utilized during the first and second quarters of 2021 mostly. Distributed APKs\r\nwere called “DHL{SMALL_INTEGER}.apk”.\r\nFlubot’s distribution servers utilizes hash busting. This applies to Flubot and Teabot payloads. Hashes of the\r\npacked APKs change every hour up to a couple of days as of August 2021. However, there are counter-examples\r\nhttps://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368\r\nPage 5 of 8\n\nwhere hashes where distributed on one day and then on another day. There could be several explanations for this\r\nbehavior like the generation of a set of binaries and rotating them or caching issues. Hashes appear to be always\r\ndifferent in each country they operate in. For instance, the hashes of APKs distributed in Germany and the\r\nNetherlands were always different. The following table illustrates this using examples from several countries. The\r\ntwo examples of Germany and Ireland show how hashes reappear within an hour. However, the Australian\r\nexample serves as a counter-example that hash busting is conducted every hour since one hash appeared on two\r\ndifferent days.\r\nCountry Hash Date\r\nGermany ecd12174b28729a0b8c708c14c0a086b 2021-08-21-02:13:47\r\nGermany ecd12174b28729a0b8c708c14c0a086b 2021-08-21-03:04:13\r\nIreland 6a75deb9e909ae8a6ef836cf232ae8f2 2021-08-24-17:31:31\r\nIreland 6a75deb9e909ae8a6ef836cf232ae8f2 2021-08-24-17:56:20\r\nAustralia ff772d18979f1e9d70f3324b3e1a25e6 2021-08-22-16:08:05\r\nAustralia ff772d18979f1e9d70f3324b3e1a25e6 2021-08-22-17:14:31\r\nAustralia ff772d18979f1e9d70f3324b3e1a25e6 2021-08-24-03:00:28\r\nHowever, the hashes of the unpacked payloads do not change that often. The unpacked payloads are regenerated\r\nevery couple of hours up to a couple of days per country. Let’s visualize this with an example from Australia. We\r\nobtained 62 packed payloads with unique hashes from within Australia during the period from 2021-08-19 until\r\n2021-08-24. The unpacked payloads have only a handful of unique hashes. We were able to observe only some of\r\nthem within a couple of hours. However, we observed the hash acb9cc224edb2c834a58912ed5e97a31 for more\r\nthan one day. Another interesting fact is how the unpacked hashes acb9cc224edb2c834a58912ed5e97a31 and\r\n867329419ab81b51ded9040352ba8717 were distributed during the same time period.\r\nUnpacked MD5 hash From Until\r\nhttps://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368\r\nPage 6 of 8\n\n81777f62d66f59a1aba5d006836ef080 2021-08-19-18:19:58 2021-08-20-10:17:06\r\n062847f8333e235813ca0fdc3a50650a 2021-08-20-14:04:30 2021-08-21-07:09:56\r\nc6e0f2808d9a5062a4b8ed64445ca36d 2021-08-21-09:38:04 2021-08-22-11:10:15\r\nacb9cc224edb2c834a58912ed5e97a31 2021-08-22-16:08:05 2021-08-24-03:00:28\r\n867329419ab81b51ded9040352ba8717 2021-08-22-20:29:34 2021-08-23-18:57:40\r\nbd72a3dcd754d36cc097563a7b65b7d5 2021-08-24-12:18:09 2021-08-24-14:05:51\r\nKeeping the Botnet Running BUT Without Security Researchers\r\nFrom a botmaster’s point of view, security researchers are an unnecessary evil who threaten their operation. What\r\nthey really hate but hardly can thwart are bot emulations, i.e. partial emulations of a bot’s networking protocol that\r\nquery real command and control servers, for instance, for commands and secondary payloads.\r\nBotmasters implement several mechanisms to thwart security researcher analysis attempts. These mechanisms can\r\nbe on the client side or on the server side. An example for client side anti-analysis mechanisms is application\r\npacking. And an example for server side anti-analysis mechanisms is a long wait time before the first task is\r\nserved to a bot in order to shut out short running sandboxes from receiving tasks immediately. \r\nApart from the usual application packing that Flubot’s operators utilize (as seen in the previous sections), they’ve\r\nimplemented a particularly interesting way to check if a new bot can send SMS and hence it isn’t a bot emulation.\r\nBut how does this exactly work?\r\nPeriodically, bots query the command and control (CC) server for new smishing SMS tasks via the GET_SMS\r\ncommand. The CC server responds with a destination phone number and a SMS text (e.g. “New voice-message\r\njecoived: hxxp://fyqz[.vip/m.php?REDACTED”). However, Telekom Security observed how this behavior\r\nchanged in August 2021. Instead of receiving smishing tasks from the beginning, new bots that queried the CC\r\nwith GET_SMS for the first time received something else. \r\nIn place of a valid SMS text that included a link to a lure server, the SMS text became a random string consisting\r\nof lower ASCII characters and numbers (e.g.\r\n“xxqgx323550k09yhdplziqnuwkv58r17cmtqe838475r4ynbmgm4qsz9yg7”). In case a bot is blocked from sending\r\nout SMS but requests new tasks via GET_SMS, then it’ll receive another task with such a random string but never\r\na valid smishing task.\r\nhttps://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368\r\nPage 7 of 8\n\nThe destination phone numbers of these invalid smishing tasks are an interesting piece of information here.\r\nLooking up several of them in who-called-me portals reveals that most of these numbers are known to send out\r\nsmishing SMS. The following figure shows two example lookups. The user comments in these screenshots sound\r\nlike a general description of a Flubot infection (e.g. “text with a link”). So let’s assume that these destination\r\nphone numbers are indeed Flubot infections. \r\nSo what’s the point of sending a SMS with some random gibberish to a destination phone number that is likely to\r\nbe infected with Flubot as well? Well, if we don’t think of the string as gibberish but as of some form of token,\r\nthen this is clearly a verification protocol. It verifies if a bot can send out SMS to another bot in the botnet. The\r\nCC server detects this because the bot of the destination phone number logs SMS to the CC server with the\r\nLOG,SMS command on incoming SMS. This enables the CC server to verify that the destination phone number\r\nindeed received the token sent out by the source phone number. Once a bot completes this verification protocol, it\r\nreceives valid smishing tasks via the GET_SMS command. \r\nIn conclusion, the Flubot operators use their botnet infrastructure to verify if new bots can send out real SMS to\r\nalready known bots. This proves that new bots are not a bot emulation. As a consequence, the bot is deemed\r\nvaluable to receive valid SMS tasks via GET_SMS. \r\nFigure 5 Screenshots from www.phonenumbers.ie and www.wemgehoert.at with comments on two\r\nFlubot infections that the botnet utilized to verify further infections. © DTAG\r\nConclusion\r\nIn this blogpost, we’ve seen how Flubot’s smishing campaigns work, how the operators circumvent simple SMS\r\ncontent filters, and what countermeasures (e.g. geo-fencing, bot verification, application packing) they keep on\r\nadding to increase the analysis difficulty of the botnet for security researchers. This threat is a huge but often\r\noverlooked problem for a variety of stakeholders including but not limited to the users, the carriers, the Android\r\necosystem, and law enforcement. One could say that Flubot is for SMS what Emotet was for email: a spam\r\nkingpin! \r\nFurther information:\r\nAndroid FluBot enters Switzerland\r\nIncibecert flubot analysis study 2021\r\nProdaft report Flubot\r\nSource: https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368\r\nhttps://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368"
	],
	"report_names": [
		"flubot-under-the-microscope-636368"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434342,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0c3d12fd60bc15f1c4693fe71fb9bd8420485d3.pdf",
		"text": "https://archive.orkl.eu/c0c3d12fd60bc15f1c4693fe71fb9bd8420485d3.txt",
		"img": "https://archive.orkl.eu/c0c3d12fd60bc15f1c4693fe71fb9bd8420485d3.jpg"
	}
}