Flubot banking malware focused on targeting Android users in Finland

Flubot Banking Malware Financial Trojan Android Mobile Finland Phishing Campaign

Finland’s National Cyber Security Centre (NCSC) recently released a threat advisory regarding a Flubot campaign that heavily targets Android users inside their country. NCSC Finland said that the Flubot banking malware is spread through SMS sent from compromised devices.

The new spam campaign utilises a voicemail theme that asks the targets to access a link that would enable them to open a voicemail message or SMS from a mobile operator. However, there is a trap inside these messages because the SMS receivers are redirected to malicious websites after accessing them. The sites push APK installers to distribute the Flubot banking malware on their Android devices rather than opening the sent voicemail or message.

For the other targets, iOS powered device users will only be redirected by the malware to malicious pages such as phishing sites because the threat actors will attempt to phish credit card information. Fortunately, these phishing web pages will be easy to identify if it is on an Apple device.

According to Finland’s NCSC, they have estimated that over 70,000 voicemails and messages have been sent in the last couple of days. They also said that if the current campaign is overly aggressive, it should be expected to spike up to hundreds of thousands soon. The NCSC has already recorded a dozen confirmed cases where the Flubot banking malware has victimised devices.

Although the NCSC and its allies have almost entirely eradicated the Flubot from Finland last summer, it is not enough since the current active banking malware campaign has all new features. Therefore, the previously implemented control features against the past Flubot are rendered useless.


Android users who have encountered the new Flubot spam are urged not to access the attached links or even download the files to their devices.


Since last year, the Flubot banking malware has been operating and is utilised to exfiltrate banking credentials, text messages, contacts information, credit card data, and payment details.

Initially, the Flubot primarily targeted Android devices owners exclusively inside Spain’s territory. However, it has now reached targets from other countries in Europe, such as the United Kingdom, Germany, Poland, and Switzerland. There were also incidents that the Flubot has been observed inside Japan and Australia, making it a global banking malware threat.

After victimising an Android mobile device, Flubot escalates to other devices by spamming text messaged to stolen contact and commanding the targets to install malware-laden applications in the form of APKs. When the malware is successfully installed in a new Android device, it will attempt to deceive victims into providing additional permissions to grant the malware operators accessibility services. The Android Accessibility services will also enable the malware to hide and operate malicious tasks discretely.

Suppose the malware has operated without being detected or resolved, it will start taking over the infected devices, and then gain access to the victim’s payment transactions and banking information through a web view phishing page overlayed on a legitimate banking application interface.

Researchers suggest that Android users should avoid suspicious emails or unwanted SMS received from unknown sources. It is imperative to be more wary and vigilant not to be victimised by any malicious acts.

About the author

Leave a Reply