FluBot Android Malware Analysis
FluBot Analysis Summary
FluBot malware is a malware that targets Android devices and is injected into victims via fake SMS messages. Fake SMS prepared using phishing methods contains the link to download FluBot. Victims who click on this link download a file with the .apk extension. After the installation process, the FluBot malware communicates with the command control (C2) server and manipulates the device remotely.
As a result of the analysis, it was determined that the FluBot malware has capabilities such as sending SMS through the victim device, reading incoming text messages, closing background applications and accessing the phone book.
After the installation, the malware obtains the necessary permissions from the victim and directs the victim to a form in accordance with the relevant phishing scenario. On this page, sensitive information such as date of birth, name and surname, credit card information and phone number are obtained from the victim. The information obtained is then sent to the attacker's command and control server via FluBot.
Fake DHL SMS notification message (Phishing)
In another example, FluBot is installed on the victim system via fake SMS. After the target user clicks on the link sent via SMS, he/she encounters a fake and realistic page on the web page prepared to download the malicious software. (The screenshot of the sample phishing page is shown below)
Frequency of Infection and Target Countries
FluBot malware has mainly targeted European countries. It has misused the increased package delivery services after COVID as a phishing tool, thus spreading very rapidly in a short time.
FluBot Technical Analysis
After the FluBot malware is downloaded, it requests user approval to grant “full access” authority within the device. After the approval is given by the target user, the malware continues to run in the background even if the target user closes the application.
The permission list of the “com.eg.android.AlipayGphone” (FluBot) malware running in the background is as follows:
- android.permission.INTERNET
- android.permission.READ_CONTACTS
- android.permission.WRITE_SMS
- android.permission.READ_SMS
- android.permission.SEND_SMS
- android.permission.RECEIVE_SMS
- android.permission.READ_PHONE_STATE
- android.permission.QUERY_ALL_PACKAGES
- android.permission.WAKE_LOCK
- android.permission.FOREGROUND_SERVICE
- android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
- android.permission.CALL_PHONE
- android.permission.REQUEST_DELETE_PACKAGES
- android.permission.KILL_BACKGROUND_PROCESSES
- android.permission.ACCESS_NETWORK_STATE
Accessing with the above permissions, malware becomes capable of performing the following actions.
• Internet access
• Read / Send SMS
• Reading the phone book
• Making a Call
• Deleting applications from the device
• Ability to use accessibility service
• Read device notifications
The target user's Android device is now constantly in communication with the attackers' command and control server. As a result of our analysis, it was determined that this communication could continue via SOCKS Proxy according to the attacker's wishes.
3.1- String Obfuscation
FluBot malware uses the open source String obfuscator software called Paranoid to make examination more difficult and to bypass anti-virus software, thus giving the malware the ability to hide String data during its execution phase.
Obfuscated String data:
• BotId
• BrowserActivity
• CardActivity
• ComposeSmsActivity
• ContactItem
• DGA
• ForegroundService
• HttpCom
• IntentStarter
• LangTxt
• MainActivity
• MyAccessibilityService
• MyNotificationListener
• PanelReq
• SMSReceiver
• Spammer
• Utils
• SocksClient
• PanelReq
3.2 – String De-obfuscate
String data belonging to the FluBot malware is hidden by attackers, and obfuscated String data must be de-obfuscated for the accuracy of the analysis results. Open source Java software was used for this process.
When the Java software is run, the data in the chunks37 array is converted into understandable String data with a mathematical function. As seen on the right, the data produced as output contains String data used in the phishing phase of different languages. (Card Number, CVV, Owner,Year etc.)
3.3 – Command And Control
The newest version of the FluBot malware is 4.0. Once FluBot is on the target Android device, it can contact the attacker. Domain Generation Algorithm (DGA) With the help of an algorithm called , it creates a domain consisting of random numbers and letters, and thus the command and control servers of the attackers can be hidden from bot software. Especially in version 4.0, the connection is made via DNS or DNS over HTTPS. Thus, when the malware sends connection request packets to the target device, it avoids firewall, EDR or Anti-Virus systems.
The rise, which started on 2021-01-22, took place with version 4.0.
The Google DNS feature was abused by attackers so that Google DNS was used as a tunnel and belonged to the attacker. Command and Control Connection requests are made to servers via DNS. Below is a screenshot of the HTTP requests.
Command And Control servers created with DGA:
“FluBot 4.0 version”poll.phpThe function that performs the connection request via ", the attacker can remotely execute commands (PING, LOG, SMS_RATE, GET_SMS, etc.) via the C2 server.
Below is the decompiled function that emerged as a result of our analysis, which is responsible for providing DNS over HTTPS connection for the FluBot malware to access the target device remotely.
This attack method was chosen specifically for targets located in England and America. The most important difference is that in a different example of the FluBot 4.0 malware, the attackers must have chosen Cloudflare DNS instead of Google DNS to receive connections.
Another feature of the FluBot malware is to perform country-specific attacks by using country-based codes found in mobile phone numbers. During a phishing attack, the cargo services in that country and the language spoken are taken into account by the attackers and an appropriate interface is selected.
As seen in the decompiled FluBot image, in this example it selected targets located in Russia.
It steals information such as credit card number, CVV, and device information from the target user.
After the target user deceived by the phishing method enters this information into the form interface in the FluBot malware, String data is transmitted to the attackers with the "GetCredential_A05" function.
The form (Phishing form) regarding the data requested from the target user by the FluBot malware is shown in the image below.
HTTP Traffic Analysis of FluBot 3.7 Version
To capture the HTTP connection with Burp Suite Proxy, Frida is used to inject JavaScript code into the malware, thus the connection can be captured and Android SSL Pinning is bypassed. When the connection is examined, it is seen that connection requests are sent from the target device with base64 encoded String data via poll.php. Attackers instantly communicate with the victim device via POST and GET requests.
4- MITER ATT&CK Techniques and Tactics (For Android Device)
| tactic | Technique ID | Technique Name |
| Defense Evasion | T1418 T1406 | 1. Application Discovery 2. Obfuscated Files or Information |
| Credential access | T1409 | 1.Access Stored Application Data |
| Discovery | T1421 T1422 T1430 T1418 T1426 | 1.System Network Connections Discovery 2. System Network Configuration Discovery 3. Location Tracking 4.Application Discovery 5. System Information Discovery |
| Collection | T1432 T1430 T1507 T1409 | 1. Access Contact List 2. Location Tracking 3. Network Information Discovery 4. Access Stored Application Data |
| Command and Control | T1573 T1071 T1571 T1219 | 1. Encrypted Channel 2. Application Layer Protocol 3. Non-standard Port 4. Remote Access Software |
| Impact | T1447 T1448 | 1. Delete Device Data 2. Carrier Billing Fraud |
5 – IOC Data
FluBot v3.7
| Phishing Correos Hash Data |
| 446833e3f8b04d4c3c2d2288e456328266524e396adbfeba3769d00727481e80 |
| bb85cd885fad625bcd2899577582bad17e0d1f010f687fc09cdeb8fe9cc6d3e1 |
| 8c14d5bc5175c42c8dd65601b4964953f8179cfe5e627e5c952b6afd5ce7d39d |
| Phishing Fedex Hash Data |
| a601164199bbf14c5adf4d6a6d6c6de20f2ab35ec7301588bceb4ee7bb7d1fdc |
| f0fa95c3b022fb4fee1c2328ffbc2a9567269e5826b221d813349ebf980b34da |
| 07ba6893c4ffc95638d4d1152f7c5b03aca4970474a95bf50942c619aa4382ae |
| ca5ba6098a2a5b49c82b7351920966009a99444da4d6f6e5a6649e5e2aeb3ff8 |
| 8be8576c742f31d690d449ab317b8fb562d03bc7c9dc33fa5abf09099b32d7a0 |
| Phishing DHL Hash Data |
| 54ecabbff30b05a6a97531f7dec837891ce49ae89878eaf38714c1874f5f1d15 |
| c3838f9544e613917068f1b2e22ab647fd5a60701e1045b713767a92cf79f983 |
| ab29813b1da1da48b4452c849eedc35b6c52044946d39392530573c540916f74 |
FluBot v4.0
| Phishing DHL Hash Data |
| 3a4bdcb1071e8c29c62778101b7ae8746f3ee57cb1588e84d7ee1991964703e6 |
| 22025590bbb4d3a30658fea45a936b6a346479c83d1c35f85521a1ac564342a0 |
| 774acbfbedd2a37e636f6251af84a7abb2e64c2db9d6de5ce0fec4121064ea49 |
| 3bf82acb8d511bfef3e083b73136824aab3612b516f150d916fe351b7e5bc9d3 |
| 9b9b67a2b9ec5a15044430a9f5d9ce6a7f524e1feed186a96309256df686cfdd |
| 8bb8b1a1dc1487db610700f6b59ea4ab44ddc2f52e0eca06f8d1da663b312b58 |