If you’ve been receiving some garbled SMS messages mentioning a missed call or voicemail recently, you’re not alone. The messages are generated by malware called ‘Flubot’, which spreads via SMS and can infect insecure Android phones.
What is Flubot?
FluBot is malware (like a computer virus) that can be installed on your Android device if you click on a malicious link in an SMS message. This malware then sends many similar text messages to other people from your list of phone contacts without your knowledge, potentially infecting them too.
If installed, the malware has wide access and can harvest your contact list to further spread, as well as accessing your personal information and banking details if you used it while infected. If infected, you should urgently remove the malware and change all your passwords, using another device that is not infected.
How do phones get infected?
You may receive an SMS from another mobile number with a message about a missed voicemail, or it could be about a package delivery service from a reputable brand:
If you click on the link, you will be taken to a web page displaying some trusted brand and prompted to install an app, in order to listen to the voicemail message. If you give permission to install, then the Flubot malware will be loaded on your mobile.
Flubot is a sophisticated piece of malware because it spreads by sending SMS messages to random mobile numbers, as well as mobile numbers obtained from a compromised Android device’s contact list. Each time it does this, it creates a new and unique link, which therefore makes it almost impossible for the carriers to block this before it gets to your phone or compromises someone else. To have your mobile phone compromised by the Flubot malware, you would have to click on the link and visit the malicious website in the SMS you receive.
How can I tell if I’m infected?
If your device is infected with Flubot, you will not know if your personal data is being accessed, and you will not be able to see your handset sending SMS messages to infect others. The following are warning signs:
- In your app list, you’ll see a new app called “Voicemail” with a blue cassette in a yellow envelope. If you try to uninstall you receive an error message “You cannot perform this action on a system service.”
- You receive text messages or telephone calls from people complaining about messages you sent them, but you have no idea you sent them any.
- Your carrier may detect you sending very high volumes of messages and send you a message saying: “Your phone is sending many SMS and may be infected with malware/virus…” or something similar.
What can I do?
Importantly, just because you’ve received this message does not mean that your phone is already affected. If you’ve just received one of these messages, do not open the link and you’ll remain protected. However, if you have already clicked on the link and downloaded the software, chances are your device is now infected.
Most popular anti-virus applications for Android phones will detect Flubot to prevent infection, as well as clean up a currently infected device. Information on how to remove Flubot from an Android device is available from various sources online. However, the instructions can be very technical, so if this sounds too techy for you, you can factory reset your phone, which will also erase the malware. Remember that once you’ve reset your phone, performing a “restore” of any recent backup may restore the malware (if that backup was taken while the malware was already installed), so it’s important that after a reset, you use an older backup.
After you’ve removed the malware/virus from your phone, we recommend changing your passwords as a precaution. Do not change your passwords before removing the malware.
Australian phone carriers are already working with the security community to address this scam. For now, and as always, our advice is to be especially cautious of phone calls, messages and emails from an unfamiliar source, and not to click on links that you don’t trust. If you’re still unsure of what to do and think you have been compromised, please contact our support team on 1300441551.