How do I track the bulk SMS sender

"Your package arrives": Links in the wrong tracking SMS lead to banking Trojans

The security software company ESET is currently warning of an SMS spam campaign aimed, among other things, at Android users in Germany. At first glance, the messages are shipment notifications for packages, typically with the words: "Your package is arriving, track it here". However, users should not click on the link included: According to ESET, it leads to phishing websites where a banking Trojan is lurking.

According to ESET, the SMS with the malicious code have been landing on smartphones in Germany at least since March 15, i.e. since the beginning of last week. The sender numbers vary as do the URLS in the messages, but what they have in common - at least in the case of the examples available to the editorial staff - is that they have nothing to do with parcel services. An example (slightly alienated to be on the safe side) is about h **** // a4hdepa ** age.cm / id /? 9qk2 *** e2b *.

Malware disguises itself as a parcel tracking app

As explained by ESET's blog entry on the spam campaign, the links lead to a website intended to be reminiscent of that of the logistics company FedEx; but there are also variants with logos from DHL and the Spanish company Correos. There the user is asked to install an alleged tracking app. According to ESET, this is in turn the Android-specific banking Trojan FluBot.

ESET employee Lukas Stefanko demonstrated the entire process from opening a malicious link to installing a complete FluBot in a video on Twitter. Several user interactions in the form of granting authorizations are therefore necessary so that the Trojan can completely settle in the system. According to ESET, these include "viewing notifications, reading and writing SMS messages, accessing the contact list and making calls".

Sending SMS to copied contact details

FluBot is targeting data from apps from banks and cryptocurrency exchanges and has the ability to intercept one-time passwords for two-factor authentication (2FA) from SMS. Overlay attacks, in which the Trojan imitates and replaces user interfaces of (banking) apps, are also possible. According to ESET, the Trojan reads phone numbers from the contact lists of its victims in order to spread itself. According to analyzes, "over 11 million telephone numbers have been stolen, mainly in Spain" since March 5th. There have already been arrests "in connection with the case"; however, the spread of the malware has continued so far.

Since an infection with FluBot requires that those affected actively install the alleged banking app, ignoring (or deleting) suspicious SMS offers effective protection against the malicious code.

(ovw)

Read comments (85) Go to homepage

Newsletter

Whether security holes, viruses or Trojans - all security-relevant messages are available from heise Security