Flubot, the fake Fedex SMS that has a sophisticated and dangerous Android virus behind it

In recent times we have seen many scams that arrive via SMS impersonating messaging companies, but none as sophisticated and dangerous as the one that is arriving in the form of a false notice from Fedex (this company is only its current form, it may change over time ). On a technical level, it is so complex and “well” executed that it potentially takes full control of the device (if it is Android) and access our bank accounts.

It is estimated that 60,000 devices have already been infected worldwide, most of them belonging to Spain, and more than 11 million Spanish phone numbers collected and stored by the attackers, according to the Swiss security company PRODAFT. Researchers have given this new virus a name: FluBot.

From Technoeager we have analyzed both the process and the final virus that is installed. The attackers are able to access the infected device and bank accounts in many cases, and even operate with them and withdraw our money without making noise. The only way to find out may be when we enter the bank’s application and see that it is too late, that the money is gone. A very dangerous virus that has triggered its spread in recent days.

An innocent SMS that can leave us without savings

“Hello Alesya, your shipment was delivered on 09/04/2020 at the drop-off point. See where you can pick up your package here [URL REDACTED]

This is the typical format of the message that has reached the person who writes these lines, in the same way that it has reached many people as we have found several people from the Technoeager team in our close surroundings.

The first thing that strikes me is that they don’t use my name correctly. My name is spelled differently on the DNI to how it is pronounced and people usually know me, so a parcel company should use my first name to inform me. This happens because the infected person has given access to all their contacts and they use the name with which the contact in question has saved you: “Alesya work”, “Mom”, “Hector mobile” … Any of those formats is what that one can be found when the message reaches you, apart from of course the first and last names.

When I clicked on the link, it took me to a page where it indicated that I had to download an app to continue with the management. This step is critical. Once you install the application (do not do it under any circumstances), the problems arrive.

It is something that should set off alarms to anyone who stops to read those three lines, but for those who live in the dynamic of accepting any banner without reading it can lead to a permission that can be fatal.

This was the case of the in-laws of a Forocoches user who explained their case, who overnight lost all their savings from their Ibercaja account, nothing less than a whopping 50,000 euros as explained by this user with various details in said forum. We have tried to contact him without having received a response at the time of publication of this article.

Later we spoke with Isaac, owner of a telephone store in Reinosa (Cantabria) where he repairs terminals and solves technical problems for his clients. In recent days, three different clients who have been victims of this same scam have come to him. They got to install the application, and a third party accessed their bank accounts. According to this technician, one of them was robbed of 23,000 euros, creating prepaid cards of 1,000 euros until his account was emptied. None of them said they had received an SMS to verify access or transactions. It is part of the scam, which hijacks the reception of messages and the user cannot even access them.

Another detail is that the affected mobiles can send tens or hundreds of SMS without knowing it in order to try to capture new affected ones, so the scam can not only occur with the savings they have in the bank: if they have a rate where have to pay for each shipment, they can see a large increase in their bill for this concept.

What do I do if I receive the message?

The message comes to you because one of your contacts is infected. The person who has installed the “Fedex app” gives access to his entire list of contacts, and that is where he finds that name assigned to each number. Sometimes it is easy to discern it because the name they use can be “Alesya work”, for example, or “Mom”, depending on the name that your contact has put you in their phone book. Nothing happens for having received the message, you just have to ignore it and not click on its link.

The app scam affects Android smartphones, but that doesn’t mean that iPhone and iOS users don’t receive the same SMS. What changes is that, when detecting malicious websites that are being accessed from iOS, something they do by identifying the browser’s user-agent, we are not offered the download and installation of a fake Fedex application.

Instead, the final destination of the browser will be a phishing website that pretends to look like Amazon, congratulating us on “being randomly selected to complete a survey.” According to the website, if we fill it in, they will give us “an incredible prize: Apple iPhone 12 Pro”. What they are after is to get our data and for us to pay them amounts of money for, supposedly, sending that false prize and the like. This scam is more common and is similar to that of the Post Office SMS we talked about in 2019.

What does the FedEx app do and why is it so dangerous?

The FedEx application is extremely dangerous because it hijacks our SMS application and replaces it with another one with a similar appearance to access all our old messages and those that we receive after installation. By also having the ability to send SMS, the application will send the scam to other phone numbers obtained by the attackers thanks to the fact that it also accesses the agendas.

In addition, thanks to having accessibility permissions (one of the biggest complaints on Android) granted by the victims, the application is able to control everything that happens on our screen and access all the data that is displayed on it, such as passwords, identifiers such as DNI, etc. All of them can be used to access bank accounts and make transfers without the victims having proof.

As the system itself indicates, if we give accessibility permissions, the fake FedEx application will be able to “fully control the device”, it will be able to “see and control the entire screen” and “see and perform actions”. That is, you will be able to see everything we write and the information that our applications show, and even make ghost presses on the screen, close them, etc. According to the expert Android developer Linuxct, the application can do this thanks to tap-jacking, a process by which it grants itself permissions when touching the screen.

The system takes care of details such as not sending an SMS to our contacts, but having other numbers write to them so as not to raise suspicions

By granting this permission with the ‘Allow’ button that shows the system warning interface, the malicious application also has the ability to read all our SMS, contacts, and can even make calls, connect to the internet and work in the background.

And that is what it will do from now on minute by minute, monitor which SMS we send and receive and which are our contacts, so that attackers can send them similar messages and that they become infected. If our mobile has been infected, it will collect our contacts but will not send them the FedEx message on our behalf. Instead, our contacts will be obtained by the attackers to send them the message from the mobile of another victim who does not have them in their agenda, so that the sender is not familiar to them.

Thanks to the aforementioned tap-jacking , the app now moves freely, and the first visible action it takes is to replace the default SMS message app with one that looks the same. In this way, all the SMS we receive will be read by the application, but without notifying us. With all this information, the attackers are ready to, in addition to spreading the scam SMS massively, to start making money by emptying victims’ accounts.

How attackers make money when victims install the application

With the accessibility permission activated and tap-jacking, which allows us to monitor all the applications we open, what we do in them and all the data such as codes, passwords or credentials, along with the reading of all our SMS messages, attackers can already obtain highly sensitive information.

With total control of the device it is very easy to see or extract our ID and the password that we use for our bank app, from there and without us seeing the SMS they can empty our account

This can be our ID, the PIN that we have entered to access our bank account through the bank’s official application and the verification codes that arrive by SMS.

To steal that password from the bank app, the FedEx app shows a fake window to get credentials, but it can do it even by capturing the data that appears on the screen. It is also possible that the DNI is obtained from old messages where we can have them by a statement or notification from the company or platform.

Thanks to having access to our SMS, and what is more important, to hijacking them without us knowing that our smartphone is receiving them, now the attackers, if they have our credentials in their possession, can start making money transfers to their destination accounts, thus emptying ours.

The SMS that we should receive to authorize such transfers will arrive, but without the victims knowing, as they cannot access either the actual message application or their notifications, so that attackers can use them to make them and steal large amounts. And all this, without the victim having any way of knowing that he is losing the money until he sees in his account that it has disappeared without having authorized it.

How do I know if I am infected by the application

From Technoeager we have contacted the Linuxct developer who, in addition to being surprised by the sophistication of the operation of the malicious application, points out that its code is changeable thanks to the fact that it can execute code updates downloaded from the Internet, that is, that it can update itself over time using encrypted communications. Uninstalling the application is quite difficult after having granted accessibility permissions, and this changing nature can make it even more difficult.

Therefore, knowing if your smartphone is infected may not always be a totally common process in other cases. In general, from what is observed with the application downloaded since January, and specifically with the one from FedEx in the last hours, there are some ways to discover if we are infected:

FedEx FluBot
  • If our default SMS message application (Google’s or manufacturer’s) has changed to Fedex’s. Its interface is like this, at least in its latest version.
  • Searching for “FedEx” among our installed applications if we have received the SMS and done the installation process. It is possible that this application can be hidden, but if it is in our application list, we are infected yes or yes. Since the application that impersonates the System Messages application hijacks all the SMS we receive, we can ask family members to send us an SMS to see if they reach us. If not, that would mean that we are infected.
  • Trying to open Play Store to install other apps. In at least two of the infected smartphones that we have analyzed, the malicious application, thanks to the accessibility permission granted, is able to close the Play Store without us being able to do anything. If we go to the default app settings to change the messaging app, we can see how FedEx has been set as the default. In the event that we can reach that menu (it is possible that the settings are closed) it is also possible that Fedex does not allow the change of default application.

How to uninstall this FluBot app

There are three main ways to eliminate this application, both from the phone itself and from the PC, and we detail them step by step below.

Option 1: Using safe mode

The easiest way is to use safe mode. This is the way that Android has so that only the basic apps of the system run, designed precisely to be able to uninstall those that cause problems. Safe mode is accessed very easily in most phones, although it changes in others.

On mobile with pure Android and similar

You simply have to press and hold the shutdown option from the menu that appears when you press the power button and shutdown, which will allow you to restart in safe mode.

On Samsung mobiles

To activate safe mode on a Samsung follow these steps:

  • Turn off the device
  • Press and hold the Power key until the name of the phone appears on the screen
  • When “ SAMSUNG ” appears on the screen, release the Power key
  • Immediately after releasing the Power key, press and hold the Volume Down key.

On Huawei phones

In Huawei phones these are the steps to activate the safe mode.

  • Turn off the phone
  • Press the power button and the volume button +
  • Wait until a new screen appears
  • On this screen, click on ‘Safe Mode’

This mode disables all the applications that have been installed, so this APK will not be able to run, but it can be uninstalled manually. The route is as follows:

  • Open the phone settings
  • Go to the applications menu
  • Search for FeDex and click on it
  • Hit ‘uninstall’

Option 2: Format or factory reset terminal

Another method to kill the malicious application is to format the factory terminal, delete all third-party applications as well as the files that may remain on the mobile. Due to the diversity of layers of customization that exist in Android, some include it in the Backup section, others in User Accounts, others in Security. If you are unable to find it, use the search engine at the top to search for “restore” or “reset. ” To perform a format you have to follow these steps.

  • Open the phone settings
  • Put in the search engine “restore” or “reset”
  • Click on the option to “delete all data” or “delete all”, etc.
  • Wait for the phone to reboot completely.

Option 3: Uninstall the application with ADB from a computer

Finally, the most complicated and expert-focused method is to remove the application using ADB commands. In short, we will use the Windows or macOS command console to remove the application from there. First of all, it is necessary to have the ADB drivers installed, both in Windows and macOS.

Once we have the ADB Drivers installed, we will have to activate USB debugging from the developer options. To get there, you have to follow these steps.

  • We open the phone settings
  • We go to ‘about the phone’, ‘information about the phone’ or similar
  • We look for ‘build number’ and click on it seven times
  • We return to the settings menu
  • Click on ‘system’
  • Click on ‘advanced options’
  • We go to the developer options
  • We activate the ‘USB debugging’.

Once we activate USB debugging, we connect the mobile to the PC and open a command console. In the case of Windows we do it by entering the word ‘terminal’ in the search bar, while in macOS we will do the same, in this case in the search magnifying glass.

Once we have connected the mobile we will have to perform these steps to remove the application:

  • Open command console
  • Type “adb shell”
  • Type the command “pm uninstall com.tencent.mm”

Clever. In this way, the application will be removed from your phone and should not cause problems again. As always, in these cases, we recommend taking special care with external APKs, especially if the operating system itself tells us that it can pose dangers.

In the command we have included “com.tencent.mm” because it is the internal name of the FedEx application package, with which Android installs it. The attackers could change that name in the future, and that to uninstall it it would be necessary to write a command with the new name. At the moment, apparently in this scam since January, we can say that that name has not changed.

Leave a Reply