The Finnish National Cyber Security Centre (NCSC-FI) has issued a warning to citizens about the current version of the FluBot malware campaign which is affecting “tens of thousands of people in Finland.”

The malware campaign leverages SMS by sending out numerous text messages, according to NCSC-FI. The messages, all of which are written in Finnish, use different verbiage.

A telltale way to identify the messages as illegitimate is to look at the alphabet used in the creation of the messages; they are missing certain Scandinavian letters (å, ä and ö) and include symbols in odd places. The analysis by the NCSC-FI is that the insertion of these symbols is by design—to make it difficult for telecom operators to filter out the FluBot SMS messages.

While the individual message text may vary, the underlying theme and the socially engineered “hook” is that the recipient has received a voicemail. Clicking on an included link will prompt them to allow installation of an app onto their device to listen to the fake voicemail; if they allow it, the malware is then installed.

The NCSC-FI advises that the malware, once in place, steals the individual’s data and also sends additional “malware-spreading scam messages.”
Déjà FluBot

This is not the first instance of the FluBot malware appearing in Finland. The June 2021 campaign saw thousands of victims falling for the scam. Back in June, the hook was that the recipient had a “package awaiting delivery” and the link ostensibly took the user to a package tracking site.
The current campaign is targeting Android devices with a mobile subscription from a local telecommunications operator. Apple device owners are redirected to another website controlled by the cybercriminals.

Antti Turunen, head of anti-fraud at Telia, said this instance of FluBot is worse than the summer campaign. Teemu Makela, chief information security officer (CISO) at Elisa Oyj, added, “The malware attack is highly unusual and very alarming. A significant number of text messages are passing through. It is estimated [that] millions of SMS messages are passing through the various mobile service providers with Telia indicating it had intercepted several hundred thousand.”

In August 2021, FluBot targeted mobile phone users in Australia and then, in October 2021, it was New Zealand’s turn. The New Zealand CERT issued a warning that a number of different SMS messages were targeting Android phones. The messages attempted to hook the user with some variation of one of these themes:
 You have a parcel delivery pending
 Someone is attempted to share an album of photos with you
 You have received a voicemail.

New Zealand’s CERT warned that the malware would steal banking and credit card information and continue to spread itself.
Infected by FluBot?
NCSC-FI offered users guidance if they clicked the FluBot link and their device became infected.
 Perform a factory reset on the device. If you restore your settings from a backup, make sure you restore from a backup created before the malware was installed.
 If you used a banking application or handled credit card information on the infected device, contact your bank.
 Report any financial losses to the police.
 Reset your passwords on any services you have used with the device. The malware may have stolen your password if you have logged in after you installed the malware.
 Contact your operator, because your subscription may have been used to send text messages subject to a charge. The currently active malware for Android devices spread by sending text messages from infected devices.

By Christopher Burgess on December 1, 2021