Last week, the Barcelona authorities announced that law enforcement officers had arrested possible operators of FluBot Android malware. Four people are suspected of running the Android botnet FluBot, which has already infected more than 60,000 devices.
For the first time FluBot was noticed by ThreatFabric experts at the beginning of this year, and recently analysts of the Swiss company PRODAFT prepared a detailed report on this malware. Apparently, collected by the experts data led to the arrest of the malware operators.
FluBot is a banking Trojan capable of displaying fake login screens on top of other apps. Thus, the malware collects e-banking credentials and payment card details of its victims.
The impressive number of FluBot infections may be explained by the presence of a worm-like mechanism in its malware code, thanks to which attackers can download the victim’s address book to their command-and-control server and send malicious SMS spam from there.
“More than 11 million phone numbers were collected from infected devices (almost 25% of the total population of Spain)”, – PRODAFT analysts warned.
Catalan officials say they tracked at least 71,000 spam messages sent by the group.
Spanish law enforcement officials report that they detained four men aged 19 to 27, whose names were not disclosed. Two of them are considered the leaders of the group and were kept in custody, while two more were released, but are required to appear in court. It seems that one of the leaders of the hack group was responsible for the technical side of FluBot’s operations, wrote malware and created fake login pages to simulate various banking transactions.
Investigators also searched the suspects’ apartments, where they seized cash, laptops, documents and mobile devices. Some of these mobile devices were allegedly bought with the money of the victims.
“In addition to making money transfers [from victims ‘accounts], criminals paid with victims’ cards and bought luxury mobile phones, which they sent to people living in the province of Madrid who received money for getting parcels”, — the authorities say.
Despite these arrests, FluBot is still active and continues to spread. It is not yet clear whether the other members of the hacker group, who manage the botnet, have not been arrested yet, or whether the malware’s control servers are working automatically, and now the botnet is functioning by inertia.