Getting strange ‘missed call’ SMS messages? Here’s how to avoid the Flubot

If you’ve been receiving some strange, garbled SMS messages mentioning a missed call or voicemail recently, you’re not alone. The messages are generated by malware called Flubot, which spreads via SMS and can infect insecure Android phones.
Clive Reeves · 12 August 2021 · 4 minute read

What is Flubot?

FluBot is malware – like a computer virus – that can be installed on your Android device if you click on a malicious link in a SMS message. This malware then sends many similar text messages to other people from your phone without your knowledge, potentially infecting them. Telstra has identified a number of handsets recently which we believe are potentially infected.

If installed, the malware has wide access and can harvest your contact list to further spread, as well as accessing your personal information and banking details if you used it while infected. If infected, you should urgently remove the malware and change all your passwords, using another device that is not infected.

The Flubot malware has started to appear in Australia after circulating around Europe for some time. We’ve documented this on our Active Scams page, but it’s worth educating yourself to stay safe. Read on to find out more.

How do phones get infected?

You may receive an SMS from another mobile telephone number with a message like

“a1bcd2 Voicemail: You have 1 new Voicemail(s). Go to [link]”

If you click on the link, you will be taken to a web page displaying a trusted brand (like Telstra) and prompted to install an app, for example to listen to the voicemail message. If you give permission to install, then the Flubot malware will be loaded on your handset.

Flubot is a sophisticated piece of malware because it spreads by sending SMS messages to random mobile numbers, as well as mobile numbers scraped from a compromised Android device’s contact list. Each time it does this it creates a new, unique link, making it difficult to block at a network level. These messages are also being sent from infected devices all across the world that have fallen victim to the malware.

To have your mobile phone compromised by the Flubot malware, you would have to click on the link and visit the malicious website in the SMS you receive. It will only affect Android phones that have previously enabled the ‘side-loading’ of applications onto the device (which means the device is configured to permit the installation of software from less trustworthy locations than the Google Play Store) – so unless you’ve done this, you can rest easy.

How can I tell if I’m infected?

If your device is infected with Flubot, you will not know if your personal data is being accessed, and you will not be able to see your handset sending SMSes to infect others. The following are warning signs:

  • In your apps is a new app called “Voicemail” with a blue cassette in a yellow envelope. If you try to uninstall you receive an error message “You can not perform this action on a system service.”
  • You receive text messages or telephone calls from people complaining about messages you sent them but you did not know about the messages.
  • Telstra may detect you sending very high volumes of messages and send you an SMS, saying: “Your phone is sending many SMS and may be infected with malware/virus. Please remove the malware app or we may suspend your ability to send SMS. Search FLUBOT on Telstra website or call us for help.”

What can I do?

Importantly, just because you’ve received this message does not mean that your phone is already affected. If you’ve just received one of these messages, do not open the link and you’ll remain protected.

If you have clicked on the link and downloaded the software, chances are your device is now infected.

Most popular anti-virus applications for Android phones will detect Flubot to prevent infection, as well as clean up a currently infected device. Some information on how to remove Flubot from an Android device is available from security researchers at ESET and F-Secure.

However, the instructions can be very technical. If this sounds too techy for you, you can also do a factory reset on your phone, which erases the malware.

Remember, performing a “restore” of any recent backup may restore the malware if a backup was done while the malware was installed, so, it’s important that after a reset, you not do this, use an back up that is dated earlier.

After you’ve removed the malware/virus from your phone, we recommend changing your passwords as a precaution. Do not change your passwords before removing the malware.

We’re working with the security community to address this scam. For now, as always, our advice is to be especially cautious of phone calls, messages and emails from an unfamiliar source, and not to click on links that you don’t trust. If you think your Telstra account has been compromised, get in touch with us.

You can report a scam to Telstra using our website, or call us on 13 22 00. If you want to learn more, we also have more cyber safety advice on our website.

Topics

By Clive Reeves

Deputy Chief Information Security Officer

Clive is the Deputy Chief Information Security Officer and has over 20 years’ experience in cyber security risk management, engineering and operations. Clive leads critical customer-facing security capabilities including the Telstra Security Operation Centres and the Defence Engagement Security Team. Clive was previously the CISO for Telstra’s Defence Engagement Team and also managed a secure ops and incident response centre. Prior to joining Telstra, Clive worked for the Australian Government and served in the Royal Australian Air Force (RAAF). Clive is an engineering graduate of RMIT and holds an MBA in Technology Management.

Related articles