FluBot banking Trojan campaign targeting European mobile users

Researchers discovered that the attacker sent a text message containing a download link to the victim. The content of the text message is usually related to counterfeit applications, thereby inducing the victim to download and install the FluBot banking Trojan.

FluBot’s malicious functions include canceling battery optimization, popping up a credit card page, turning off the Google Play Protect service, covering the fake WebView page, preventing uninstallation, replacing the default SMS receiver, and automatically granting permission applications. According to FluBot’s prompt text, infected device information, and affected areas, it was discovered that FluBot targeted European countries where credit card payments were the mainstay.

At the beginning of March, the Catalan police cracked an online financial fraud. The criminal gang used Android called “FluBot” to send text messages with malware download links, sending at least 71,000 spam text messages and infecting 60,000. Taiwan equipment, four suspects have been arrested by the police, but the “FluBot” malware continues to operate, and the latest version found has been updated to 3.7.

FluBot was first exposed at the end of 2020 and belongs to a family of banking Trojan horses. Functionally, “FluBot” can display a fake login screen on top of legitimate applications to collect e-banking credentials and credit card details from the device; technically, FluBot uses a variety of code protection methods to make analysis and detection difficult. It uses the DGA algorithm to establish a botnet and randomly generates C&C to hide the real C&C address. In terms of dissemination, “FluBot” has a SMS mechanism that sends a group of SMS messages containing download links to the victim’s contact list. The sites behind the links hosting these malicious software are some legitimate websites that have been hacked, which makes the spread more smoothly.

FluBot’s disguised application names are mainly for transportation and logistics applications. The names of these disguised application packages are concentrated in com.tencent.mm and com.tencent.mobileqq. These two package name software have obvious regional characteristics. Guess this This disguise method is to further exclude the area and focus on users who are not in the area.


Through analysis, it is found that “FluBot” matches multiple languages ​​including German, Polish, Hungarian, and English in addition to Spanish in its prompt text content. Combined with the information of the infected device, it was also found that the victims from Portugal and Denmark, from the affected countries, were concentrated in European countries and the mainstream payment methods in these countries were mainly credit cards. Due to the different payment habits, my country has not yet been affected. FluBot” influence.


In recent years, the rapid rise of financial technology has continued to provide innovative vitality for financial development. At the same time, it should also be aware of its own risks in the development of financial technology, including its own systemic risks. Judging from the actual impact caused by the lack of infrastructure of Spanish mobile banking this time, it reflects the importance of improving the construction of financial technology infrastructure. It is necessary to continuously improve the security of financial transactions and reduce security risks.