A smartphone virus that automatically infected the phones of everyone in a victim’s contacts list has been significantly disrupted after an international law enforcement operation involving Garda cyber investigators.
The malware typically spread via bogus text messages purporting to update the recipient on the status of a parcel being delivered to them or suggesting a voicemail from a friend had arrived.
The FluBot malware has been of very serious concern to the Garda because it had spread so quickly in Ireland and recorded the keystrokes on victims’ phone. That meant when a phone was infected and unsuspecting victims accessed their bank accounts, for example, the access codes were recorded and harvested for use by criminals.
However, the international policing operation coordinated by Europol has resulted in the infrastructure used to run the malware being taken over by law enforcement. As a result, even phones currently infected cannot be compromised as the information on the phones cannot be gathered and accessed by the cyber criminals involved.
Det Supt Pat Ryan of the Garda National Cyber Crime Bureau told The Irish Times the spread of FluBot had reached a peak in Ireland last year and was of very significant concern because of the number of victims in the Republic. It allowed the criminals involved access to an infected phone and also had the ability to takeover each phone and record the activity on it.
However, he said the international policing operation his bureau had been part of had now “successfully disrupted and rendered ineffective the infrastructure” behind the malware.
“The Garda National Cyber Crime Bureau continue work collaboratively with international law enforcement agencies to target the criminal networks responsible for all forms of cybercrime. The investigation is ongoing to identify the individuals behind this global malware campaign,” he said.
The FluBot malware only infected Android phones and was often sent to victims via text messages containing a link track a parcel in the postal system or to listen to a bogus voice mail message. Once the link was clicked, the malware was installed on the phone and would soon request permission from the owner to access other apps and websites that required passwords.
Once that permission was granted, by people who did not realise their phone was infected, codes for accessing bank accounts and even cryptocurrency accounts were gathered up for use by the criminals.
As well as the Garda, US Secret Service and Europol involved in the operation that resulted in the takeover of the FluBot infrastructure, law enforcement agencies for a large number of other countries also took part. These include Australia, Belgium, Finland, Hungary, Romania, Sweden, Switzerland, Spain and the Netherlands.
Europol’s European Cybercrime Centre helped the participating agencies create a joint strategy to take down the malware, including offering digital forensic support, coordinating the sharing of information and providing a virtual command post on the day of the takedown.