FluBot¶
FluBot was an SMS-spreading Android banking trojan that achieved worm-like propagation by sending smishing messages to every contact on an infected device. Between late 2020 and mid-2022, it became one of the fastest-spreading mobile threats in history, harvesting over 11 million phone numbers in Spain alone (roughly 25% of the population). Dutch police seized its infrastructure in May 2022 as part of an Europol-coordinated operation involving 11 countries.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | Late 2020 |
| Last Seen | June 2022 (infrastructure seized) |
| Type | Banking trojan, SMS worm, credential stealer |
| Attribution | Unknown, infrastructure operated from the Netherlands |
| Aliases | Cabassous, FedEx Banker |
Origin and Lineage¶
FluBot first appeared targeting Spanish banking customers in late 2020. PRODAFT published the first major technical analysis after gaining visibility into the operation, revealing the scale of the botnet: approximately 60,000 active infected devices with access to harvested phone numbers from millions of contacts. The malware has no known direct code lineage to earlier banking trojan families, appearing as an independently developed project that drew on established techniques (overlay attacks, accessibility abuse) combined with a novel SMS worm propagation mechanism.
FluBot's rapid spread and operational success attracted imitators. Both Medusa and Anatsa were observed using FluBot's distribution network and mimicking its smishing templates, as documented by Proofpoint and ThreatFabric.
Distribution¶
FluBot distributed exclusively through SMS phishing (smishing). The infection chain:
Victim receives SMS: "Your package is arriving, track here: [link]"
→ Link leads to fake delivery tracking page (DHL, FedEx, Correos, UPS)
→ Page prompts to download "tracking app" APK
→ APK requests Accessibility Service permission on install
→ Once granted: overlay attacks enabled, SMS access gained
→ Malware reads victim's contact list
→ Sends smishing SMS to all contacts from victim's device
→ Cycle repeats on each new infection
The self-propagating SMS mechanism was the key differentiator. Each infected device became a distribution node, creating exponential growth. Proofpoint estimated tens of thousands of malicious SMS messages sent per hour during peak campaigns, with some subscribers receiving up to six FluBot SMS messages.
Lure Themes by Region¶
| Region | Lure Theme |
|---|---|
| Spain | Correos (postal service), MRW delivery |
| Germany | DHL package tracking |
| UK | Royal Mail, DHL |
| Italy | Poste Italiane |
| Australia | Australia Post |
| Japan | Yamato Transport |
After police action against the Spain-focused campaign in early 2021, operators pivoted to new regions rapidly, adapting lure templates to local postal services.
Capabilities¶
Core Functions¶
| Capability | Description |
|---|---|
| SMS worm | Reads contact list, sends smishing SMS from victim's device to all contacts |
| Overlay attacks | Injects phishing pages over banking and cryptocurrency apps to steal credentials |
| SMS interception | Reads, intercepts, and hides incoming SMS (steals OTPs) |
| Contact exfiltration | Uploads full contact list to C2 |
| Notification interception | Monitors push notifications for 2FA codes |
| Keylogging | Records keystrokes on targeted apps |
| Remote control | Operators can send commands for USSD execution, app installation, SMS sending |
| Uninstall prevention | Uses Accessibility Service to close settings/uninstall dialogs |
Version Evolution¶
FluBot iterated rapidly across versions. Fox-IT / NCC Group published a detailed version history and F5 Labs covered the v5.0 changes:
| Version | Date | Changes |
|---|---|---|
| 1.0-2.x | Late 2020 | Initial Spain campaign, basic overlay attacks, SMS worm |
| 3.4 | Early 2021 | Reduced DGA domain count from 5,000 to 2,500 per month |
| 3.7 | March 2021 | Replaced .com TLD in DGA with .su |
| 3.9 | March 2021 | Introduced DNS-over-HTTPS (DoH) for DGA domain resolution |
| 4.0 | April 2021 | Switched DoH provider from Cloudflare to Google |
| 4.1 | 2021 | Added multiple DoH providers: Google, Cloudflare, AliDNS |
| 4.9 | Late 2021 | Direct HTTPS communication on port 443 after DGA resolution; expanded targeting to Australia, Japan |
| 5.0 | Early 2022 | Replaced DGA+DoH with DNS tunneling over HTTPS; expanded to 30 TLDs; added remote seed change command |
Technical Details¶
Domain Generation Algorithm (DGA)¶
FluBot's DGA was central to its resilience. The algorithm generated domains based on a seed derived from the current year and month. NCSC-NL tracked FluBot DGA domains and F-Secure (now WithSecure) analyzed the DoH tunneling mechanism:
| Parameter | Details |
|---|---|
| Seed | Derived from current month and year |
| Domain count | 5,000 initially, reduced to 2,500 in v3.4, expanded again in v5.0 |
| Domain length | 15 characters |
| TLDs (pre-v5) | .ru, .su, .cn |
| TLDs (v5.0+) | 30 different TLDs |
| Resolution | DNS-over-HTTPS (v3.9+), then DNS tunneling over HTTPS (v5.0+) |
C2 Communication¶
| Version | Method |
|---|---|
| v1-v3.8 | Standard DNS resolution of DGA domains, then HTTPS to resolved IP |
| v3.9-v4.x | DGA domains resolved via DNS-over-HTTPS (Cloudflare, Google, AliDNS), then HTTPS to resolved IP |
| v5.0+ | DNS tunneling: C2 data encoded in DNS queries sent via DoH providers; responses embedded in DNS replies |
The DNS tunneling in v5.0 was a significant evolution. Instead of resolving DGA domains to get a C2 IP and then communicating over HTTPS, the malware embedded C2 commands and data directly within DNS queries and responses, using DoH providers as unwitting relays. This made traffic analysis substantially harder since all visible traffic appeared to be DNS queries to legitimate providers.
Encryption¶
- C2 traffic encrypted with RSA public key embedded in the APK
- Payload APK encrypted within the dropper
- SMS message templates received from C2 in encrypted form
Overlay Injection¶
FluBot targeted banking and cryptocurrency apps with HTML-based overlay pages loaded in WebViews. The inject list was received from C2 and matched against installed packages on the device. When a target app was foregrounded (detected via Accessibility Service), the corresponding phishing overlay was displayed.
Target Regions¶
FluBot expanded geographically across its lifespan:
| Phase | Period | Regions |
|---|---|---|
| Initial | Late 2020 - Early 2021 | Spain |
| European expansion | Q1-Q2 2021 | Germany, Italy, UK, Hungary, Poland, Finland, Sweden |
| Global expansion | Q3 2021 - 2022 | Australia, New Zealand, Japan |
| Late stage | Early 2022 | Additional European countries, attempted US expansion |
BSI/CERT-Bund published advisories during the German campaign, and INCIBE-CERT (Spain) published a full analysis study documenting the original Spanish operations.
Notable Campaigns¶
2020, December: FluBot first appears targeting Spanish banking users through Correos (Spanish postal service) smishing lures. PRODAFT gains access to the operation and estimates 60,000 infected devices with 11 million harvested phone numbers from Spain.
2021, March: Spanish police arrest four suspects linked to FluBot distribution. The operation pauses briefly, then resumes with expanded targeting. FluBot begins hitting Germany, Italy, and the UK.
2021, April: Proofpoint publishes analysis warning that FluBot is spreading rapidly through Europe and may reach the US. Reports approximately 7,000 active UK infections with SMS volumes in the tens of thousands per hour.
2021, June: BlackBerry publishes a technical breakdown of FluBot's overlay and SMS mechanisms. Multiple European CERTs issue public warnings.
2021, Q4: FluBot v4.9 expands to Australia, New Zealand, and Japan with localized lure templates. Cyble documents the v4.9 New Zealand campaign.
2022, Early: FluBot v5.0 deploys DNS tunneling over HTTPS, as analyzed by F-Secure and F5 Labs.
2022, May: Dutch police seize FluBot infrastructure in an operation coordinated by Europol's European Cybercrime Centre (EC3). 11 countries participated: Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands, and the United States. Police disconnected 10,000 victims from the botnet during the raid.
2022, June: Fox-IT / NCC Group publishes a retrospective covering the full version history from initial discovery through takedown. No FluBot activity has been observed since the infrastructure seizure.
Related Families¶
Other major smishing-distributed families include MoqHao (Roaming Mantis), which uses similar SMS-based distribution targeting East Asian users and predates FluBot by two years. MoqHao's 2024 variants achieved auto-execution without user interaction, an evolution FluBot never reached before its takedown.