Messages claiming to be from parcel delivery companies such as the Post Office, UPS, DHL and others are targeting Android/iOS users. Most of the scam messages are sent by SMS texts but some are being sent as phishing emails.

They focus on the user paying a small fee to have a package redelivered. Others try to get a user to download an app to track their package. Both messages contain a malicious link which downloads a banking Trojan known as Flubot which steals banking details.

When an Android user taps the malicious link, they are forwarded to a page where they are prompted to download an app so they can track their package.
  • Once installed, the infected Flubot app can also intercept and send SMS messages, display screen overlays, and steal contacts.
  • iOS users are directed to phishing pages that link to other malware or impersonate major banks in the hopes of stealing that user’s mobile banking login credentials.
The malware can also harvest passwords and other personal information. It also accesses contacts to send out further messages.

If you've received this message and you've already downloaded the infected app then follow these steps:
  • Don't enter any passwords or log into any accounts.
  • Perform a factory reset on your device.
  • After resetting your device you may be prompted to restore from a backup, but do not restore any apps that you've accessed or downloaded since your device was compromised.
  • Once you've restored your device you should change your passwords on your accounts to ensure they are secure.
Android users can also download free BullGuard Mobile Security software to protect their devices from further attacks.
  • For a low cost, a paid for version of BullGuard Mobile Security is also available. It protects up to five devices and features parental controls, application monitoring and GPS location detection to keep the kids safe.
Flubot is popular among attackers

For attackers Flubot is available as Malware as a Service (MaaS). This means its owner rent it out to attackers. It also runs its own command and control servers. In this current attack, more than 400 Flubot servers have been uncovered which reveals the scale of the attack.

For an attacker to use Flubot, all they need to do is rent it, customise their messages and select whom they want to target. So far, attackers have targeted users across Europe, with the UK seeing a significant amount of attacks. The US will likely be the next target in the scammers sights.
  • Making this attack more effective is the widespread availability of mobile phone numbers from multiple breaches.
  • The recent Facebook breach, in which over 500 million user records, including telephone numbers, appeared online, is no doubt contributing to the scale of the attack.
  • LinkedIn also had a major data breach recently with data belonging to 500 million users, including telephone numbers, being sold on hacker forums.
  • Given that both services are ones in which users keep their mobile numbers updated, attackers know the vast majority of messages will get through to the intended target.