Police in 11 countries have taken down a mobile phone scam dubbed FluBot that spread around the world via fake text messages, Dutch and EU police said on Wednesday.
Dutch cybercops led an operation in May targeting the malware, which infects Android phones using texts which pretend to be from a parcel firm or which say a person has a voicemail waiting.
Hackers would then steal bank details from infected phones, which automatically sent messages to other mobiles in the user’s contact list, passing on the scam like a flu virus.
“To date, we have disconnected ten thousand victims from the FluBot network and prevented over 6.5 million spam text messages,” Dutch police said in a statement.
The EU’s police agency Europol said FluBot was among “the fastest-spreading mobile malware to date” and was “able to spread like wildfire due to its ability to access an infected smartphone’s contacts.”
Police had made the malware “inactive” but are still hunting the culprits, it said.
“This FluBot infrastructure is now under the control of law enforcement, putting a stop to the destructive spiral,” Europol said.
The countries involved in carrying out the investigation were Australia, the United States, Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden, Switzerland, and the Netherlands, coordinated by Europol’s cybercrime centre.
FluBot became one of the world’s most notorious cyberscams after it first emerged in December 2020, “wreaking havoc” around the world, Europol said.
The agency said the bug had compromised a “huge number of devices worldwide”, especially in Europe and the US, with “major incidents” in Spain and Finland.
Australian media said last year that FluBot was spreading “like a tsunami” with some users being bombarded by texts.
Details of how police took down the scam remain sketchy, with officials saying they do not want criminals to know how they busted it.
Dutch police said a cybercrime team in the eastern Netherlands had taken down FluBot by “intervening and disrupting the criminal process”, without giving more details.
Europol said the takedown did not involve removing any physical infrastructure such as servers but also refused to say more.
“The Dutch police found another way to disrupt the criminal activity,” a Europol spokeswoman told AFP.
But FluBot’s method was simple, according to Europol and the Dutch police.
It would arrive “mainly via a fake SMS on behalf of a well-known parcel delivery service” or saying the user had a voicemail to listen to.
They would then be asked to click on a link to download an app from the parcel service to track a package, or to listen to the voicemail.
But in fact FluBot would install the malware on their phones. The fake app would then ask permission to access various other applications.
Hackers could then see their victims entering passwords for banking, credit card or cryptocurrency apps and steal from them, Europol said.
What made it “very dangerous” was its ability to access a phone’s contact list and then send fake texts to other phones.
“Victims often do not know that they have installed the malware. The further spread of the malware also happens without the user of a mobile phone noticing,” Dutch police.
The scam only targeted phones with Google’s Android operating system. Apple’s iOS system was not affected.