Mobile Operators and Ofcom Warn of Scam DHL and FedEx Text

We’ve had several of these and there’s a good chance you have too. This week has seen Ofcom and all the major mobile operators – EE, Vodafone, Three UK and O2 – issue warns to customers about a surprisingly prevalent piece of malware called FluBot, which sends fake DHL or FedEx delivery messages that can infect your phone.

At this point we’ve probably all experienced the occasional SPAM TXT and the idea of including a dodgy link, which can be used for phishing your personal details or to infect your device, is nothing particularly new. Obviously, it’s not the text message itself that’s dangerous, but the link it includes and what happens if you access (click / tap) it.

In this case FluBot generates a fake DHL Delivery message, which includes a link for tracking a non-existent parcel. Like most such scams there’s a strong element of social engineering involved, which may explain why this particular malware (malicious software) has been so successful. Simply put, a lot of people receive parcels from DHL and the inclusion of links in such notifications is common.

The problem this time is made worse because this is more than a mere phishing attempt. If you happen to click that link then FluBot will attempt to infect Android based Smartphones (it won’t infect iOS but does redirect Apple users to a phishing site) with spyware, which hides in the background while snooping on all your sensitive data and credit card details. On top of that it’ll spam infected messages at all your contacts – they’ll love that.

According to a spokesperson for Vodafone, “We’ve seen reports of this across all networks in many countries, and it seems to be growing quickly. Please be vigilant.” At present if you have been infected then the recommended course of action is to factory reset your phone (say bye.. bye to your history if you haven’t done a backup) and to change any passwords associated to services you may have accessed via your phone.

Obviously, if you need to check DHL deliveries than it’s best to visit the official website  – https://track.dhlparcel.co.uk – and try to avoid clicking any links in text messages.

A Closer Look at Flubot

So far as we can tell, this particularly ugly and effective piece of malware first cropped up in Spain toward the end of last year and has since spread rapidly across the rest of the EU and UK, particularly over the past couple of months. Many of the people we know have received such a message, in a few cases multiple times, and indeed so have we. The names of various delivery companies are used, but DHL and FedEx are the most common.

According to security researchers at Proofpoint, the FluBot versions analysed impact at a minimum Android SDK version 7.0 and target Android SDK version 9.0. The good news is that Android requires users to grant permission before an untrusted app can do anything, thus if you do click the link then it’ll usually prompt you with a few access request windows first (i.e. this is a last chance to stop the malware and deny it access).

Proofpoint Statement:

“Once given the permissions, both FluBot versions act as spyware, SMS spammer, and credit card and banking credential stealers all in one. Reaching out to the C2 server, the malware sends the victim’s contact list and retrieves an SMS phishing message and number to continue its spread using the victim’s device.

Additional functionality includes intercepting SMS messages, USSD messages from the telecom operator, and app notifications, opening pages on a victim’s browser, disabling Google Play Protect to prevent its detection, opening a SOCKS connection and creating a SOCKS proxy for communication depending on the C2 request, and uninstalling any app as directed by the C2. The malware also uses the system’s “locale.getLanguage()” to set the text language for interfacing with the victim, ensuring they will be none the wiser when they encounter notifications.

Another key part of the malware’s functionality is its ability to install display overlays for various banking apps and Google Play verification. When the malware has captured the victim’s credit card information, the card number format is validated locally and then sent to the C2 for exploitation.”

If you do receive the message then you should report the text by forwarding it to text number 7726 (recognised by UK operators) and then delete it. As a general rule, try to avoid clicking links that are sent to you via a text message. Instead, try to find an alternative route to check if the information is correct, such as going directly via an official website etc.