What Is FluBot Malware? How to Detect, Remove, and Prevent It

Alert icon, infected and destroyed phone and a virus robot standing next to it
Click here to read a summary of this article!
Quick Summary: What Is Flubot Malware? How to Detect, Remove, and Prevent It

FluBot is a new form of malware that is spreading on Android phones in several countries. It’s harmful in many ways:

  • It spreads via fake text messages that require users to download an app
  • This app disguises itself as a service or a system app
  • If users download and install the app, it asks for several kinds of permissions.
  • If granted, these permissions allow the app to gain control over the device and cause significant harm.
  • It can even trick users into giving up their financial details.

FluBot is particularly scary as it functions in the background and is hard to detect.

If you are infected by FluBot, you need to delete the malicious app by rebooting into Android Safe Mode. If that doesn’t work, you may need to factory reset your system.

In any case, it’s best to prevent infection by malicious software in the first place by securing your device using a reliable antivirus scanner, such as Avira.

Get Avira Antivirus

Check out the rest of the article for more information on FluBot and how it can be detected, removed and prevented.

With the world still reeling from the impact of the COVID-19 pandemic, the last thing people want to hear about is the spread of another virus. Unfortunately, the FluBot malware, a kind of computer virus, has been spreading like wildfire on Android devices.

Android users in several countries have reported receiving strange text messages in different languages. Each text message contains a link to a webpage. On the webpage, users are instructed to install a FedEx or Voicemail app, which is infected with FluBot.

During the installation process, the malware app requests all kinds of permissions from the user and gains control of the device. It can then access a user’s financial details, deletes apps, and sends text messages to a user’s contact list.

This article explains how FluBot malware spreads and what you can to do detect and remove it. We also share some important tips to prevent such infections.


What Is FluBot Malware?

Robot Flubot malware iconFluBot is a kind of malware that only infects Android phones and is disguised as an app. Though it made its first appearance in January 2020, the start of 2022 has seen a marked increase in FluBot cases. It has been named after the flu because it spreads quickly and widely.

The malware app gives hackers significant control over an infected Android device. It allows them to extract sensitive personal information, such as banking and credit card details.


How Does FluBot Malware Spread?

FluBot can spread in several different ways. The most common vectors are text messages. Targets of the virus receive messages in languages such as German, Polish, and Hungarian.

The text message instructs the user to click on a link to track their parcel which is out for delivery. Alternate versions of the message ask users to click on a link to check their voicemail or download an important security update through a phishing link.
Screenshot of Flubot malware, SMS with virus link
Once the user clicks on the link, they are redirected to a webpage. Depending on the contents of the message, the webpage either asks the user to download a tracking app for delivery services like FedEx and DHL, a voicemail app, or a security update.

Interestingly, the fake security update actually tells users that they’ve been infected with Flubot and that the update will help remove it!
Screenshot of Flubot malware, fake security update, red screen
If the user agrees, an APK file infected with FluBot is downloaded and installed on their device. During the installation process, the application requests permissions to access contact lists, read and write text messages and initiate phone calls.

In other words, the app gains control over an Android device’s most important functions. In this, FluBot is pretty similar to a trojan virus as it disguises itself as a benevolent application to infect a device.
Screenshot of Flubot malware APK


What Harm Can FluBot Cause?

What harm can Flubot cause iconFluBot can cause serious harm to infected devices. The most common ways in which it impacts a device are:

  1. The malware uploads a user’s contact lists to a command and control center. Messages containing links to the FluBot malware are then sent to these numbers. This helps spread the malware even further.
  2. FluBot also seeks access to Accessibility Services. If permission is granted, it can control screen taps without a user’s knowledge. Controlling screen taps allows it to install important apps and turn off Google Play Protect.
  3. Most worryingly, FluBot downloads fake log-in screens of popular banking apps. It overlays these fake screens over genuine banking apps and extracts a user’s banking details, which are used to make transactions and create false identities.

How to Detect FluBot on a Device

How to detect Flubot on a device iconWe’ve covered what FluBot is and how it affects your device. You’re probably wondering how you can tell if your device has been infected by FluBot. Unfortunately, this is not an easy task. FluBot is programmed to be evasive and hard to detect. It does not leave many traces.

However, there are a few telltale signs to watch out for, such as:

  • Check to see if your phone has a Voicemail application with a blue cassette in a yellow envelope as its logo. Also check for delivery service apps, like FedEx or DHL.
  • People on your contact list may inform you of strange messages or calls they received from your number. This could be a sign that FluBot is controlling your device.
  • A spurt in unauthorized transactions on your device is another sign that the virus has infected your device and extracted financial details.
  • In some nations, your service provider may contact you if a large number of texts are sent from your number. If you haven’t sent bulk messages recently, this is a clear sign that your device is infected with FluBot.

How Can I Remove FluBot From an Android Device?

Once you’ve figured that FluBot has infected your device, the next step is to remove it and prevent further damage. Removing FluBot can be pretty complicated as it actively avoids deletion by disguising itself as a system app or service.

When you try to delete the infected app, a message saying “You cannot perform this action on a system service” is displayed. Thankfully, you can implement any of the options listed below to override the error and remove FluBot:

  1. Try removing the infected app using Android Safe Mode. You can boot into Safe Mode by long-pressing the Power button and clicking on “Reboot in Safe Mode” (though this varies between devices).
  2. An XDA user has developed an open-source app named “malinstall” which deleted FluBot. You can download it from this GitHub repository.
  3. If neither of the above options works, factory reset your Android device. It’s better to not restore from your backups as they could potentially contain the infected app.

Note: Once FluBot has been removed from your system, do inform your local cyber enforcement authority that your device was infected. This will help them monitor the malware and keep other users safe.


How to Prevent FluBot Infections on Your Devices

Infographic showing how to prevent Flubot from infecting your devices

Since FluBot is difficult to detect and remove, it’s best to avoid infection in the first place. You can prevent FluBot infection by:

  1. Not clicking on links in suspicious messages or emails as most of these are phishing scams.
  2. Avoiding the installation of apps from untrusted websites and app stores.
  3. Install an antivirus scanner on your Android device. This will help detect and remove not only FluBot but other malware, like worms and keyloggers. Check out our list of the top 5 antivirus software for 2022 to make an informed choice.
  4. Using two-factor or multi-factor authentication on your accounts, especially for banks and other financial institutions. Even if FluBot gets hold of your password, it may be unable to access the second level of authentication.

The tips outlined above help prevent a FluBot infection and keep your device safe.


Keeping FluBot at Bay: Final Thoughts

Viruses like FluBot rely on a user’s lack of information and knowledge to infect devices. Hence, keeping up with the latest virus-related developments is very important.

A few other sinister instances of malware that users should be aware of are:

  1. Killware
  2. BloodyStealer
  3. Ransomware
  4. Search Encrypt

Users should also take basic preventive measures, such as installing an antivirus on all devices. If you’re looking for an antivirus scanner, go check out Avira Antivirus. It provides solid protection against viruses at a reasonable price.

What Is Flubot Malware? How to Detect, Remove, and Prevent It: Frequently Asked Questions

We’ve answered some of the most pressing and common questions about FluBot in the section below. Be sure to check out if you have any doubts about the virus and how it spreads. If we’ve not covered something, please do let us know in the comments!

FluBot is a new dangerous malware affecting Android users. It spreads primarily through text messages. These messages ask users to download an app or a security update. During installation, the app requests all kinds of permissions that allow it to basically control the device.

FluBot can be very harmful. It can affect an infected device in the following ways:

  1. It can send messages containing a link to the virus to everyone listed in the user’s contacts
  2. It can change important system settings. For instance, it can turn off Google’s Play Protect, which guards against viruses
  3. It can extract important financial information by overlaying fake log-in screens over banking applications

No, FluBot does not infect iPhones or other Apple devices. While Apple users can also receive text messages with a link to the malicious FluBot app, they cannot install apps from outside the AppStore and cannot be infected as a result.

FluBot is not easy to detect and remove. It actively evades detection and prevents users from deleting the app. However, there are a few clear signs of a FluBot infection. These are:

  1. The presence of a suspicious FedEx, DHL, or Voicemail app on your device
  2. Sending of several text messages from your device to others on your contact list
  3. Unauthorized changes in settings on your device
  4. Spurt in  fraudulent transactions on your card

If your device is infected, it’s important to remove FluBot immediately.

Tech journalist
Mohit is a legal and public policy researcher whose work focuses largely on technology regulation. At VPNOverview, he writes about cybersecurity, cryptocurrencies and sports events.