{
	"id": "acf33999-b39e-45cd-9dd1-54830d24b18f",
	"created_at": "2026-04-06T00:11:41.79784Z",
	"updated_at": "2026-04-10T03:20:06.359204Z",
	"deleted_at": null,
	"sha1_hash": "dc72f53c03ef65cfc44fb73c694ac27a19d0616c",
	"title": "Takedown of SMS-based FluBot spyware infecting Android phones",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1505040,
	"plain_text": "Takedown of SMS-based FluBot spyware infecting Android phones\r\nBy Europol\r\nPublished: 2022-06-01 · Archived: 2026-04-02 12:25:03 UTC\r\nAn international law enforcement operation involving 11 countries has resulted in the takedown of one of the\r\nfastest-spreading mobile malware to date. Known as FluBot, this Android malware has been spreading\r\naggressively through SMS, stealing passwords, online banking details and other sensitive information from\r\ninfected smartphones across the world. Its infrastructure was successfully disrupted earlier in May by the Dutch\r\nPolice (Politie), rendering this strain of malware inactive. \r\nThis technical achievement follows a complex investigation involving law enforcement authorities of Australia,\r\nBelgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands and the United States, with the\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones\r\nPage 1 of 3\n\ncoordination of international activity carried out by Europol’s European Cybercrime Centre (EC3). \r\nThe investigation is ongoing to identify the individuals behind this global malware campaign. \r\nHere is how FluBot worked \r\nFirst spotted in December 2020, FluBot has gained traction in 2021 and compromised a huge number of devices\r\nworldwide, including significant incidents in Spain and Finland. \r\nThe malware was installed via text messages which asked Android users to click a link and install an application\r\nto track to a package delivery or listen to a fake voice mail message. Once installed, the malicious application,\r\nwhich actually was FluBot, would ask for accessibility permissions. The hackers would then use this access to\r\nsteal banking app credentials or cryptocurrency account details and disable built-in security mechanisms. \r\nThis strain of malware was able to spread like wildfire due to its ability to access an infected smartphone’s\r\ncontacts. Messages containing links to the FluBot malware were then sent to these numbers, helping spread the\r\nmalware ever further. \r\nThis FluBot infrastructure is now under the control of law enforcement, putting a stop to the destructive spiral. \r\nInternational police cooperation\r\nWith cases spreading across Europe and Australia, international police cooperation was central in taking down the\r\nFluBot criminal infrastructure. \r\nEuropol’s European Cybercrime Centre brought together the national investigators in the affected countries to\r\nestablish a joint strategy, provided digital forensic support and facilitated the exchange of operational information\r\nneeded to prepare for the final phase of the action. The J-CAT, hosted at Europol, also supported the investigation.\r\nA virtual command post was also set up by Europol on the day of the takedown to ensure seamless coordination\r\nbetween all the authorities involved.\r\nMy device has been infected – what do I do \r\nFluBot malware is disguised as an application, so it can be difficult to spot. There are two ways to tell whether an\r\napp may be malware:\r\nIf you tap an app, and it doesn’t open\r\nIf you try to uninstall an app, and are instead shown an error message\r\nIf you think an app may be malware, reset the phone to factory settings. \r\nFind out more on how to protect yourself from mobile malware.\r\nThe following authorities took part in the investigation:\r\nAustralia: Australian Federal Police\r\nBelgium: Federal Police (Federale Politie / Police Fédérale)\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones\r\nPage 2 of 3\n\nFinland: National Bureau of Investigation (Poliisi)\r\nHungary : National Bureau of Investigation (Nemzeti Nyomozó Iroda)\r\nIreland: An Garda Síochána\r\nRomania: Romanian Police (Poliția Română)\r\nSweden: Swedish Police Authority (Polisen)\r\nSwitzerland: Federal Office of Police (fedpol)\r\nSpain: National Police (Policia Nacional) \r\nNetherlands: National Police (Politie)\r\nUnited States: United States Secret Service \r\n \r\nSource: https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"
	],
	"report_names": [
		"takedown-of-sms-based-flubot-spyware-infecting-android-phones"
	],
	"threat_actors": [],
	"ts_created_at": 1775434301,
	"ts_updated_at": 1775791206,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc72f53c03ef65cfc44fb73c694ac27a19d0616c.pdf",
		"text": "https://archive.orkl.eu/dc72f53c03ef65cfc44fb73c694ac27a19d0616c.txt",
		"img": "https://archive.orkl.eu/dc72f53c03ef65cfc44fb73c694ac27a19d0616c.jpg"
	}
}