It has recently been reported that Flubot, spyware targeted at smartphones, has been spreading across the UK. The malware is being delivered via SMS, under the guise of a parcel delivery app, tricking users into downloading the malicious software. Network operators have said that millions of these malicious texts have already been sent across their networks, causing enough of a stir for the NCSC to issue remedial guidance.

Here’s what you need to know about Flubot

Flubot is a form of spyware that can be used to take over and gather information from devices, it also has the capacity to message the contacts of infected devices. The fact that this mobile malware can interact with a device’s contacts list means the application has been granted escalated permissions, something that phone owners are known to be flippant about.

For this particular campaign, SMSs have been used to distribute Flubot by pushing targets to a webpage to download a ‘parcel delivery’ application, similar to traditional smishing campaigns. In this instance, the primary brand being used has been DHL, but there have been reports of the Royal Mail, FedEx and Hermes as well.

The application comes in the form of an APK, meaning that this campaign is only affecting Android devices. By default, third-party apps are blocked from automatically downloading on Android devices, however, the fake download page provides users with a walkthrough on how to bypass this innate security feature, enabling installations from unknown sources.

As an IT professional, this is a clear red flag, however, third-party app installations are commonplace in the consumer world, particularly as apps like Fortnite have moved away from official app stores to self-hosted platforms.

O2, Vodafone, Three as well as a number of other network operators turned to the Twitterverse to warn the general public about Flubot and what to look out for.


What can you do if you’ve received a Flubot SMS?

Firstly, don’t click the link nor install the app. Secondly, forward the message to 7726 which is a free spam-reporting service provided by phone operators. Then delete the message.

If you have already downloaded the app, the NCSC recommends that you perform a factory reset as soon as possible. When you’ve reset the device, make sure that if you restore from a backup that the backup predates the installation of the Flubot application.

If you use Wandera’s Threat Defense solution, then you will have been protected.

Lessons from Flubot

What’s clear from this malware campaign is that smishing and malware continue to be a threat, it’s obvious by the hordes of people commenting on Flubot tweets asking about what to do if they’ve clicked on the link or entered their details.

Threats like Flubot draw attention to mobile security. There are a number of misconceptions around mobile security which typically lead to mobile devices being an underprotected form factor in corporate environments. Mobile devices are just small computers that are susceptible to their own cyber threats. As personal devices interact more and more with corporate IT environments, there is a growing need to ensure security without the management overhead or privacy concerns caused by Unified Endpoint Management (UEM).

Understanding app permissions, whether a device has been rooted or jailbroken, whether there are malicious or risky apps installed on the device is critical before you let them connect to your environment. You wouldn’t let a laptop with malware installed connect, so it should be no different for a mobile device. This is particularly pertinent for unmanaged devices like BYOD or third-party devices that need to connect where there is less control over the hygiene of the device.

As access and security strategies mature to accommodate hybrid working, companies of all sizes are adopting Zero Trust Network Access (ZTNA) models, building in device posture assessments into application access decisions.

To find out more about Wandera’s Threat Defense and Private Access solutions, get in touch.