
Researchers are warning of a new enhanced version of the FluBot Android malware that that spread posed as Flash Player. A recent SMISHING campaign spotted targeting Polish users with a messaging asking them if to click on a link to view a video. Upon clicking on the link, recipients are redirected to a page offering a fake Flash Player APK that delivers the FluBot malware on the Android device.
Flubot has been active since late 2020, it was first observed targeting Spanish users. Since March 2021, the malicious code was also employed in attacks aimed at several European countries as well as Japan.
Threat actors leveraging fake security updates to trick victims into installing the malicious code. The attackers use fake security warnings of Flubot infections and urge them to install the security updates.
The following chart shows the FluBot infection chain, the malicious code start spreading using the initial victim’s contact list.

- The victim received an SMS message that includes a link to a malicious URL.
- The victim clicks the link and is prompted to install an app.
- The victim downloads and opens the malicious app that installs FluBot.
- FluBot accesses the victim’s contact list and uploads it to the C2 server.
- FluBot downloads a list of new contacts to target.
- FluBot sends SMS messages to the new list of target contacts, thus propagating FluBot.
Flubot version 5.2 has important improvements, such us the implementation of a new command, UPDATE_ALT_SEED, to allow operators to change the domain generation algorithms seed remotely.
“In version 5.2 a new command, UPDATE_ALT_SEED, is introduced. It enables the attackers to change the DGA (domain generation algorithms) seed remotely. Once such a command is dispatched, FluBot stores the updated seed inside the shared preferences under “g” key.”
Researchers statement
The feature allows operators to elude DNS blocklists in an attempt to isolate the C2 infrastructure. Experts also noticed that the new version the DGA mechanism uses 30 top-level domains instead of just three used in previous versions.
In version 4.9, FluBot communicated directly with the server using HTTPS port 443. In FluBot version 5.0, the malware communicates with the C2 server through DNS Tunneling over HTTPS.
The new version supports a long list of commands including:
- UPDATE_DNS_SERVERS: New in Version 5.0 –
- UPDATE_ALT_SEED
- NOTIF_INT_TOGGLE – Notification Interception
- GET_SMS: Propagation Through SMS
- GET_SMS: Propagation Through SMS, Version 5.2
- RELOAD_INJECTS: Injections and Overlays
- UPLOAD_SMS: SMS Logging
- SMS_INT_TOGGLE: SMS Interception
- GET_CONTACTS: Contact List Logging
- DISABLE_PLAY_PROTECT
- Run USSD: Recharge Using Phone Call
- Disable Battery Optimization
- Keylogger/Screen Grabber
- UNINSTALL_APP
- OPEN_URL: Opens a URL on the Device
- SEND_SMS: Sends SMS Messages on Demand
Indicators of Compromise
- Version 4.9 – Malware APK e93a4e8bec4e2bf47157e55be150c8fb62c38cd4ca180b473f53259fa44cdd48(
- Version 5 – Malware APK 4bf1e7a6e5febfb345b13a596b954e50c59d9506046592d39d4a6e9f01dfea53
- Version 5.1 – Malware APK
1dc84f5f1ee6daf33f5da0d0d82f252c64274a771c6214170eae441d18447fea - Version 5.2 – Malware APK
4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c
DGA new version:
- sanjwhqlroxeqsg.gdn
- ehqlyxolqccohhe.tj
- avkipjyasamupcq.website
- doatcitxkkqmxvj.space
- ffambnmmyixllbc.bar
- aoqjaoljmhgkbjn.net
- ydcsrogydrbaark.org
- xumeqlosslyghxa.md
- kruiyvjrkckmkuw.news
- uuyjuucswhjelvs.com.ua
- slgcgtbxklmroyp.info
- rmtojrivkbficso.top
- ajrwpbeppdjkxqa.news
- nyadxmafvbfbufs.biz
- qwufcvgjxhhwbqm.pw
- jbtsnuaxcqhbifa.pw
- uctrpqbvsgbhrdx.ru
- cwfyvftrskwpajf.shop
- rlxhcniaxwhenyb.bar
- mvxiaupwjvwpnen.kim
- fprgtjjgjpccrhw.online
- qtvghaqjpgabkcb.xyz
- eygtjycuerbfqye.news
- vukkiygwihuvicr.top
- towdpkiqhwwpuai.kim
- pkpywgugvvfware.com
- yrpbnuvmijunhui.space
- hsuvffyhihmxfcs.md
- disrivylofenvpv.am
- mpgeljbknuirjyn.kz
- eletnyjtnanvdma.site
- gidifviluycnkiw.biz
- wtnpntujiobaruo.news
- pvwoykvrjvpqrmv.host
- kwhkpwjnckjgsku.space
- fetdkrdlwckevyb.am
- kylnwmbpldmxmxn.md
- ebuexfmykfkuqnq.kz
- xwjguoqsrctyqhg.work
- cppkudrwprfhmxr.net
- xpvxfyfllbmttff.icu
- wgvlaehevokxvpp.kim
- mbjjyhtsignvwag.net
- qaglmvmwjfaqjkp.com
- ohheffxinyfprdi.work
- ppodlnogwpbssyg.com
- eoclnffuhbgsami.am
- fqpvkcasumyauvc.kz
- qpaohdqqaihhlkc.website
- dsmuhjmutneanyy.top
- jlfyttqnjrcmemt.space
- kwhkpftemquwxwj.net
- lkerprptwypnqhy.icu
- vrrmcsnfcukpwbg.email
- dhajucrywpsbcwn.info
- rxavamskjqrcbjs.news
- wxsqualioikedot.shop
- lvyfkakdujketov.ru
DGA
- ivnhsfcgxqtdpgf.ru
- kawirqavasqpigh.su
- vuqrxydxebquubh.su
- bopgsxsclhwxjne.su
- grgdfmtkfplancm.cn
- qgouswonbtkilyg.cn
- hgjyfgoffmowqhd.cn
- rfiuisvfofdhupg.su
- jopynuwcrtqngds.su
- bfrgtvapmllahdk.ru
- cjuayrfphtkcrkj.cn
- ceprofbrqkdtlmg.su
- jhrrlpyouhinvjs.su
- gxpjbvavepjjapk.ru
- ujolqxxdlqtwaeg.ru
- cvgbtrsgkgikgta.ru
- qqagnrrkhotlhuh.su
- uhhhaopaokflmuc.ru
- hhtdoxedeocqgbe.su
- dcinvrymbkbkubd.cn
- tklgflugirlhxhw.cn
- iresfcoveiwelrb.cn
- mvkvnaophgxigmc.cn
- kddvlhoousrjvyt.ru
- cqynkkdsueahcdc.cn
- tygagpcptjnpvdd.su
- poggimonhfhmian.cn
- gkqqpdlqfmhfbgi.ru
- dfcgnpiaasdbfwc.ru
- xbweworkhtydyfu.cn
- ywtujyrngdkskqb.su
- wvuigvtriblmtql.ru
- mmroeuhddmttsmf.ru
- cvxcgaalqyaujuq.su
- qvbjfpqqoltyxgc.cn
- ylnokptsqwyhcfl.cn
- folcqumqnbvptwx.su
- omctoafnnfiwhbf.ru
- qtpdbxawtacxbyv.cn
- wkhegfltjbwnojn.cn
- exgkeqmxiviyrok.cn
- xbeifwqtioqfsbn.ru
- nubndmladuxwsfb.su
- xjsounhyqtwansr.ru
- bqdykryibucterh.cn
- sroksxoyjofsutu.su
- orpubgxertbafxm.cn
- xtxhdknafhfxvjc.su
- flddiemycxmvish.cn
- liwlvquihagxxma.cn
- igxqnfcktnwjqxo.su
- ortixoaehwmdjsu.su
- mxruqupfueopsmw.su
- hpekdinakyoxxer.cn
- pqrxxsahfqhfqkj.su
- rraxaotpljcbwjg.cn
- fnqfdwiuuupbsxb.ru
- mmuhmvpxadtppwi.su