Alerts

We highlight current cyber security threats in New Zealand, and provide guidance on what to do if they affect you.

2:00pm, 4 October 2021

TLP Rating: White

FluBot malware infecting Android phones

Updated 2.00pm on 4 October:

FluBot malware is being spread through text messages on Android phones and is currently affecting New Zealanders. There are a number of different message varieties, including:

  • You have a parcel delivery that is pending
  • Someone is attempting to share an album of photos with you
  • You have received a voicemail

If you have received the texts this does not mean your device has installed the malware. Do not click on the link, as it will direct you to a page with instructions related to the message you have received, or a page that looks like a security warning that you have FluBot installed.

Visiting these pages does not mean you have been infected by FluBot, but do not follow any instructions on these pages, as that will infect your phone.

Examples of installation pages to look out for will continue to be posted here.

FluBot attempts to steal your banking and credit card information as well your contact list, which it uploads to a server to continue spreading itself. Once a device has been infected with FluBot it can result in significant financial loss.

Given that the wording of these texts has changed within a short timeframe, it is likely the wording will change again. Be wary of any suspicious text messages you receive, asking you to click on a link, and forward any new suspicious texts to 7726.

What's happening

Systems affected

Android mobile phones.

What this means

FluBot automatically sends text messages from infected devices to contacts it has received from other infected devices. Once the message is sent, the phone blocks the number so the recipient is unable to respond to avoid raising suspicion.

Messages spreading FluBot will come from New Zealand or other mobile numbers and contain a link to a parcel delivery website asking to install an app or a security update.

Installing the app or update triggers the infection and the device will begin sending messages to other devices, as well as trying to get the device owner’s credit card and banking details.

What to look for

How to tell if you're at risk

If you have received a suspicious text message asking you to follow a link, specifically if you have an Android phone.

How to tell if you're affected

If you have downloaded and installed an app or security update after following a suspicious link in a text message.

What to do

Prevention

Do not click on the link if you receive a suspicious text message, and do not install any app or security update the page asks you to.

If you are expecting a delivery, it’s best to track the delivery via the courier’s website directly.

Forward any new suspicious texts you receive to 7726.

 

Mitigation

If you have been affected by this campaign, you should factory reset your device as soon as possible. This will delete any data on your phone, including personal data.

Do not restore from backups created after installing the app. Seek the services of a qualified IT professional if you require assistance.

You will also need to change the passwords to all of your online accounts, with urgency around your online bank accounts. If you have concerns that your accounts may have been accessed by unauthorised people, contact your bank immediately.

More information

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.