Confused man looking at phone
Cyber Security |

The FluBot SMS cyber attack continues to evolve

By Darren Pauli October 15, 2021

Criminals behind the prolific FluBot SMS-based cyber attack sweeping Australia and the world have flipped their scam on its head – they’re now telling potential victims they need to install a ‘security update’ to remove an existing FluBot infection. The ‘security update’ actually contains FluBot.

The latest trick showcases the criminals’ willingness to experiment with new scams (known as a pretext) in a bid to increase infections as news of the cyber attacks spread.

A sample of the new message being sent to users, which erroneously says they're infected with FluBot in a bid to install FluBot.
A sample of the new message being sent to users, which erroneously says they’re infected with FluBot in a bid to install FluBot.

We warned of FluBot in August as reports of strange, often garbled “missed call” messages began to hit people’s SMS inboxes.

FluBot is malware – like a computer virus – that can be installed on your Android device if you click on a malicious link in a SMS message. This malware then sends many similar text messages to other people from your phone without your knowledge, potentially infecting them.

The malware requests high levels of access to a victim’s phone in order to steal data and proliferate to other devices. Modern Android phones will provide owners with warnings about the access an app is requesting, but this may be of little protection to those who believe they are installing a legitimate app.

The scam is thought to have begun in Italy before spreading around Europe and then coming to Australia. The attacks are independent of carriers and can potentially affect everyone.

Currently, the FluBot “bait” messages you’re likely to receive suggest you have an unchecked voicemail as a way to get you to click the link. The message content can change, however, as we’ve seen from the messages claiming to help with an existing Flubot infection.

It has also in recent weeks claimed the recipient has missed a parcel and that Australia Post deliveries have been stalled amid the Covid-19 pandemic.

If you click on the link, the FluBot malware authors will attempt to trick you into installing the virus by deactivating some security settings on your device. FluBot webpages you click may ask you to allow the installation of “unknown apps”, which is restricted by default to stop malware like FluBot.

Android devices typically don’t allow unknown apps (that is, apps not from the Google Play Store) to be installed by default. FluBot cannot be installed if the installation of unknown apps is left as its default setting of denied. We strongly recommend you leave this setting as denied.

FluBot also cannot, to date, be installed on iOS devices like iPhones and iPads.

Infected Android phones should be factory reset after important data like photos and phone contacts are backed up. Make sure you restore from a backup that was taken before you were infected with FluBot, otherwise you may risk reinfecting yourself.

If you don’t regularly back up your device, now is the time to start!

The evolution of the FluBot scam reinforces our continued message that the public is best placed to beat scams by being sceptical of all unexpected communications, regardless of the message, the sender, and the medium on which it was sent – be it email, SMS, chat message, or a phone call.

Telstra and our industry peers are continually examining ways to combat sophisticated threats such as Flubot.

You can report a scam to Telstra using our website. If you want to learn more, we also have more cyber safety advice on our website.

How you can tell if you are infected with FluBot

If you have clicked one of these links, you may be infected with FluBot already. The malware sits on your phone and intercepts passwords and other login details, while simultaneously sending out messages to your contacts to encourage them to install it too.

You can tell if you have FluBot in a few ways. Your phone may warn you it is sending a large number of text messages, and you are also likely to receive SMS messages from mobile numbers that have received FluBot links sent from your device. Customers of Telstra will also receive a message from us warning of a likely FluBot infection.

Finally, you may notice an app called ‘Voicemail’ bearing an icon of a blue cassette in a yellow envelope on your device. Please bear in mind the name and icon of this app could change anytime.

What we’re doing about it

Connected technologies increasingly sit at the very heart of the lives of most Australians. But as we move more rapidly to a digital economy, we need to be more and more cognisant of the growing cyber risks and those who seek to do us harm online.

We get that scams like FluBot are annoying, and we’re working to make the internet a safer place for our customers through our Cleaner Pipes initiative.

Cleaner Pipes includes a range of existing work designed to help keep our users safe from malicious activity online. We also recently announced we’re blocking around 13 million scam calls, on average, from being delivered every month.

Alongside Cleaner Pipes, we’re actively working to help people who have inadvertently been infected with FluBot. We identify compromised users based on the distinctive nature of the FluBot malware and notify those affected as to how they can fix their infected devices.

For those close to home, our free Broadband Protect service also helps safeguard you and the devices connected to your home network from accessing many known dangerous websites. Our data shows that Broadband Protect blocks, on average, around 2.5 million malicious websites per hour.

For even more online protection when you’re out and about, our Device Protect product helps safeguard your mobile, tablet or laptop, keeping users from falling foul of scammers that want to do you harm.

Consumer | Cyber Security |

Getting strange ‘missed call’ SMS messages? Here’s how to avoid the Flubot

By Clive Reeves August 12, 2021

If you’ve been receiving some strange, garbled SMS messages mentioning a missed call or voicemail recently, you’re not alone. The messages are generated by malware called Flubot, which spreads via SMS and can infect insecure Android phones.

What is Flubot?

FluBot is malware – like a computer virus – that can be installed on your Android device if you click on a malicious link in a SMS message. This malware then sends many similar text messages to other people from your phone without your knowledge, potentially infecting them. Telstra has identified a number of handsets recently which we believe are potentially infected.

If installed, the malware has wide access and can harvest your contact list to further spread, as well as accessing your personal information and banking details if you used it while infected. If infected, you should urgently remove the malware and change all your passwords, using another device that is not infected.

The Flubot malware has started to appear in Australia after circulating around Europe for some time. We’ve documented this on our Recent Scams page, but it’s worth educating yourself to stay safe. Read on to find out more.

How do phones get infected?

You may receive an SMS from another mobile telephone number with a message like

“a1bcd2 Voicemail: You have 1 new Voicemail(s). Go to [link]”

If you click on the link, you will be taken to a web page displaying a trusted brand (like Telstra) and prompted to install an app, for example to listen to the voicemail message. If you give permission to install, then the Flubot malware will be loaded on your handset.

Flubot is a sophisticated piece of malware because it spreads by sending SMS messages to random mobile numbers, as well as mobile numbers scraped from a compromised Android device’s contact list. Each time it does this it creates a new, unique link, making it difficult to block at a network level. These messages are also being sent from infected devices all across the world that have fallen victim to the malware.

To have your mobile phone compromised by the Flubot malware, you would have to click on the link and visit the malicious website in the SMS you receive. It will only affect Android phones that have previously enabled the ‘side-loading’ of applications onto the device (which means the device is configured to permit the installation of software from less trustworthy locations than the Google Play Store) – so unless you’ve done this, you can rest easy.

How can I tell if I’m infected?

If your device is infected with Flubot, you will not know if your personal data is being accessed, and you will not be able to see your handset sending SMSes to infect others. The following are warning signs:

  • In your apps is a new app called “Voicemail” with a blue cassette in a yellow envelope. If you try to uninstall you receive an error message “You can not perform this action on a system service.”
  • You receive text messages or telephone calls from people complaining about messages you sent them but you did not know about the messages.
  • Telstra may detect you sending very high volumes of messages and send you an SMS, saying: “Your phone is sending many SMS and may be infected with malware/virus. Please remove the malware app or we may suspend your ability to send SMS. Search FLUBOT on Telstra website or call us for help.”

What can I do?

Importantly, just because you’ve received this message does not mean that your phone is already affected. If you’ve just received one of these messages, do not open the link and you’ll remain protected.

If you have clicked on the link and downloaded the software, chances are your device is now infected.

Most popular anti-virus applications for Android phones will detect Flubot to prevent infection, as well as clean up a currently infected device. Some information on how to remove Flubot from an Android device is available from security researchers at ESET, F-Secure, and our own CrowdSupport help page.

However, the instructions can be very technical. If this sounds too techy for you, you can also do a factory reset on your phone, which erases the malware.

Remember, performing a “restore” of any recent backup may restore the malware if a backup was done while the malware was installed, so, it’s important that after a reset, you not do this, use an back up that is dated earlier.

After you’ve removed the malware/virus from your phone, we recommend changing your passwords as a precaution. Do not change your passwords before removing the malware.

We’re working with the security community to address this scam. For now, as always, our advice is to be especially cautious of phone calls, messages and emails from an unfamiliar source, and not to click on links that you don’t trust. If you think your Telstra account has been compromised, get in touch with us.

You can report a scam to Telstra using our website, or call us on 13 22 00. If you want to learn more, we also have more cyber safety advice on our website.

Consumer | Cyber Security | Small Business |

Security notification: KRACK

By Berin Lautenbach October 17, 2017

At Telstra we take protecting the privacy and security of our customers and network seriously which is why we’re letting our customers know about a new security vulnerability that we have been made aware of, that could compromise users of modern protected WiFi networks.

The vulnerability, uncovered by university researchers, is named KRACK and it reduces the level of security encryption on a WiFi network. It has the potential to impact enterprise products and consumer devices which connect to WiFi such as mobile phones.
KRACK could be used by someone with ill intent to monitor WiFi surfing sessions and steal a user’s sensitive information or direct the user to phishing and malware pages.
While KRACK is notable, the WiFi Alliance has indicated that there is no evidence that the vulnerability has been exploited maliciously. Furthermore, many security experts agree that there is a reduced likelihood that criminals will exploit it as KRACK requires attackers to be physically located in the same spot as the WiFi network they wish to target. Moreover, many criminals would likely opt for traditional simple attacks like phishing which are effective, scalable, and allow targeting of victims from across the world. This has not been tested by Telstra.
Whilst this may be the case, we still recommend you take steps to protect yourself and your devices.

Help protect yourself now

To help protect yourself against KRACK, we recommend all customers exercise good WiFi security practices. While there is currently no guaranteed defence against KRACK, these measures will reduce your exposure and should be used when connected to any public WiFi.
1. Avoid conducting sensitive transactions like internet banking on public WiFi. Use your mobile data instead.
2. When using WiFi networks check that the sites you visit use HTTPS. Depending on your web browser, you can tell HTTPS is in use by looking to the left of the website address bar for the prefix HTTPS (as opposed to HTTP), a closed lock, or the words ‘Secure’.
3. Avoid open, password-free public WiFi networks such as those at airports. We recommend using the Telstra Air app when connecting to Telstra Air as the app helps protect you from accidentally connecting to a hotspot that is pretending to be part of the Telstra Air Network to unlawfully access your information.
WiFi users should be mindful of web browser warnings such as “your connection is not private” in Google Chrome, “this site is not secure” in Internet Explorer, and “your connection is not secure” in Mozilla Firefox. These warnings may indicate an attacker is attempting an attack which could send users to phishing or malware pages.

Patching: proper protection long-term

Proper protection against KRACK requires technology companies to issue patches in order to safeguard users of their products from this attack.
Microsoft has already issued patches for Windows 8 and Windows 10, and if you use this operating system you should apply the latest updates. Google is creating a patch for its Android operating system. Apple has already developed a patch that it says will be deployed to supported devices soon.

What we’re doing

Telstra is working rapidly with our modem suppliers to determine if any devices are vulnerable. If we determine there is an issue with a specific modem or Wi-Fi device then this can be resolved through software updates; Telstra will first determine which devices could be affected and then where possible update the device remotely to fix the security vulnerability.