Europol says it disabled FluBot botnet infecting ‘huge’ number of devices

Botnets have proven hard to permanently eradicate in the past, suggesting Europol's success disabling the FluBot malware could be fleeting.
Europol, the European Union's law enforcement agency, is pictured at its headquarters building on June 24, 2020 in The Hague, Netherlands. (Photo by Yuriko Nakao/Getty Images)

The European Union’s law enforcement agency announced Wednesday that an operation involving 11 countries led to its recent takedown of a fast-spreading mobile malware known as FluBot.

The European Union Agency for Law Enforcement Cooperation, popularly known as Europol, said in a web post that the Android malware has been “spreading aggressively through SMS [text messages], stealing passwords, online banking details and other sensitive information from infected smartphones across the world.”

The malware’s infrastructure was disrupted last month by the Dutch Police, according to Europol, which said the Dutch success at inactivating the malware strain was the culmination of a highly technical investigation involving law enforcement from the U.S., Australia and eight European countries. Europol’s European Cybercrime Centre coordinated the complex interagency probe.

Europol said FluBot first emerged in late 2020 and built momentum in 2021, ultimately compromising what it called a “huge” number of devices worldwide, including via especially significant incidents in Spain and Finland.


FluBot leveraged victims’ text messaging to infect their phones, the Europol announcement said.

While Europol heralded its multi-jurisdictional team’s success in taking out FluBot, history suggests the botnet, or network of infected computers, could live to see another day. Botnets have proven difficult to permanently eradicate in the past.

The Android malware has been “spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected smartphones across the world.”


For example, Microsoft said in October 2020 that it had obtained a court order which allowed it to disable the infrastructure supporting Trickbot, a prolific malware that distributed massive amounts of ransomware in 2020. But threat analysts subsequently said that Trickbot reemerged as attackers succeeded in getting some users to click and install the malware.

Europol said that Android users targeted with FluBot were asked click a link and install an application in order to keep track of a package delivery. In other cases, victims were told to listen to what Europol described as a “fake voice mail message.” Once installed, FluBot would ask for accessibility permissions which hackers then used to “steal banking app credentials or cryptocurrency account details and disable built-in security mechanisms,” Europol said.


The malware “spread like wildfire due to its ability to access an infected smartphone’s contacts,” the Europol post said. The malware was designed to send links to those contacts, which exponentially increased the malware’s reach in what the Europol web post called a “destructive spiral.”

Europol said the investigation is ongoing as it tries to identify the individuals responsible for the global malware campaign.

Europol said that FluBot malware can be difficult to detect since it masquerades as an application.
The agency advised those who fear they have been infected to check whether an app contains the malware by tapping it. If the app doesn’t open, it could be FluBot.

Similarly, Europol said if users try to uninstall an app without success, instead receiving an error message, it could also be a sign that their device has been infected. The agency said users who believe they are infected with the malware should reset the phone to factory settings.

Suzanne Smalley

Written by Suzanne Smalley

Suzanne joined CyberScoop from Inside Higher Ed, where she covered educational technology and from Yahoo News, where she worked as an investigative reporter. Prior to Yahoo News, Suzanne worked as a consultant to the economist Raj Chetty as he launched his Harvard-based research institute Opportunity Insights. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and covered two presidential campaigns for Newsweek. She holds a masters in journalism from Northwestern and a BA from Georgetown. A Miami native, Suzanne lives in upper Northwest Washington with her family.

Latest Podcasts