NCSC SK-CERT warns against the spread of Flubot malware

The National Cyber Security Centre SK-CERT warns against the spread of the Flubot malware, which targets mobile devices running the Android operating system.

The malware is currently spreading via SMS and MMS in several EU countries and there is a high probability that attackers will also target Slovak cyberspace.

NCKB SK-CERT has been tracking Flubot for a long time and has been involved in technical analysis of individual strains of this malware in cooperation with the international community. Its rapid spread was observed, for example, at the end of 2021 in Finland. A massive campaign is currently underway in the Czech Republic. We therefore currently assess the risk of a massive spread of this malware in Slovak cyberspace as very high.

What is Flubot

The Flubot malware is malicious code that spreads on mobile devices (smartphones, tablets) with the Android operating system. The primary vector for the spread of this malware is phishing SMS and MMS messages that invite the victim to perform various types of activities:

  • Listening to a voicemail message,
  • information about an unanswered call,
  • information about delivery or tracking of a parcel,
  • a request to pay a fee,

Each SMS or MMS message contains a malicious URL link. This links to the download of a malicious application. If the victim installs the application, Flubot is activated and in the first phase sends phishing SMS and MMS to the victim’s phone contacts. It then collects information from the victim’s mobile device and sends it to the attacker. This can include, for example, access data to financial services (internet banking), payment card details, crypto wallet data, social network passwords, photos, mobile phone location and other sensitive data.

What makes Flubot dangerous?

Attackers are constantly adapting the Flubot malware to their needs. They are also able to use this malware on a regional level, as they create the content of SMS and MMS messages in different languages depending on the country they are attacking. It is likely that this malware is used by multiple independent attacker groups. However, despite the sophistication of the attackers in using the local language, it is usually possible to detect that it is a phishing attack. In the case of the Czech Republic, the messages looked as follows:

  • “Prichozi hla sova zprava :”
  • “You have a new main message from”
  • “You have 1 new voice message”

In the case of this malware, however, the attackers are not just adapting by localisation. They are constantly changing the content of the phishing messages to make them more credible and to reach as many victims as possible.

Flubot malware spreads very quickly. It uses the victim’s contacts to do this. After installing the malicious app, the malware sends SMS or MMS messages with phishing content to all phone numbers on the victim’s device. This means that within a short period of time (on the order of hours), Flubot can send out tens of thousands of messages.


The National Cyber Security Centre SK-CERT recommends that all users of mobile devices, regardless of operating system:

  • if you receive an SMS, MMS, mail or message via communication applications (Messenger, WhatsApp, Signal, etc.) asking you to click on a URL link, do not click on that link. If you have clicked, do not respond to the prompts to install applications or fill in forms,
  • do not respond to urgent messages in a hurry, read the message multiple times. Haste and urgency tend to be the most common tricks attackers use to get a potential victim to do what they want,
  • If you receive a suspicious message from a friend or family member, verify its authenticity in another way – by phone or preferably in person. Use the correct contact identified in a trustworthy way, not necessarily the number from which the suspicious message came,
  • only download and install apps from verified and trusted sources, i.e. the official stores of each mobile device or operating system manufacturer. These stores are automatically pre-installed on mobile devices and provide the only trusted source of apps,
  • use the option to deny the app access to SMS (the app can request this right during installation, but also at any time during runtime). Check your system settings to see which apps you have granted this permission to in the past,
  • In general, when installing any application, take care not to allow the application to access information that it has no reason to access. If possible, limit each application’s permissions to the minimum necessary. If this is not possible, do not install the application,
  • Do not, under any circumstances, give out your personal data, payment card details or access details to internet banking or social networks to anyone,
  • Keep your mobile device up-to-date at all times. This also applies to any apps you have installed on your device. Only get updates from official and verified sources – update notifications in your phone’s settings if you’re updating your mobile device’s operating system, and official stores if you’re updating apps,
  • Keep only the apps you actually use installed. Uninstall old apps that you haven’t used in a while. They can also be a way for an attacker to get into your mobile phone, for example by exploiting a vulnerability,
  • If you receive a suspicious message from a friend or family, alert them to the fact that their mobile phone may have been hacked,
  • back up your phone data regularly,
  • store passwords and access details to your services securely in encrypted wallets. Don’t store them in your browser or in text form in your phone’s notes,
  • if you receive a message that seems suspicious or you suspect may be phishing, please notify us at [email protected] Please include in the message what phone number you received the message from, what the content of the message was, and what URL it contained.

« Späť na zoznam