Watch out for this fake Android security update — it's really malware

Android malware botnet attack
(Image credit: Shutterstock)

The notorious FluBot Android banking Trojan has a new, grimly amusing trick up its sleeve: It tries to fool you into downloading a fake "security update" by warning you about ... FluBot itself.

"Your device is infected with the FluBot malware," reads a stark red screen that you'll see if you click on a link in a text message. "Android has detected that your device has been infected."

In fact, your device has NOT been infected yet. But it will be if you do what the message suggests: "You must install an Android security update to remove FluBot."

The actual warning about this fake warning came last week from New Zealand's Computer Emergency Response Team (CERT NZ), a government agency that alerts citizens and enterprises about cybersecurity threats. (Many countries have a CERT; the U.S. somehow has two.)

When last we checked in on FluBot, it lured you in with a text message telling you about a problem with a package delivery. A link in the message you to a bogus page that said you had to download and fill out a form to get your package. You'd be infected you with FluBot if you followed the instructions.

You may still get that package-delivery notice, said CERT NZ, which led off with a tweet about the new variant and then followed up with a blog post. Or you might be texted a bogus warning that naughty photos of you had been put online.

Sometimes you'll get an image of a friendly young woman holding a package with the traditional "application form" to download and fill out. Sometimes you'll get the scary image below. (We appreciate the humor of putting a registered-trademark symbol next to the name of the malware.)

(Image credit: CERT NZ/FluBot)

How to avoid being infected by FluBot

"The malicious app will only infect your phone if [you] click the link AND download the app," CERT NZ's blog post said. "Receiving the text does not mean you are infected. Apple phones can receive the message but cannot be infected."

That's very true. So are two statements in the bogus FluBot warning screen itself. 

"FluBot is an Android spyware that aims to steal financial-login and password data from your device," it states. If you have trouble installing the fake "Android security update," then you need to "select 'Settings' and enable the installation of unknown apps."

That's because by default, Google-provisioned Android phones will install apps only from the official Google Play Store unless the user overrides those settings. That's what the fake warning/real FluBot wants you to do. Don't do it. 

Instead, make sure the default app-loading settings are on. In Android 8 or later, go to Settings > Apps > Special access > Install unknown apps, and then make sure that "Not allowed" is next to each app name. If you see an "Allowed", tap on the app and toggle off the switch.

In Android 7 or earlier, go to Settings > Security (or Lockscreen and Security), where you'll see an entry labeled "Unknown sources." Make sure it's toggled off.

You'll also want to be running one of the best Android antivirus apps. FluBot has been around for most of 2021, so most antivirus apps will recognize and block it right away.

FluBot first appeared in Spain in early 2021, spread to other European countries and now is expanding worldwide. 

If you get an SMS text message that a package is waiting for you — or especially if you get a text that seems to be about an expensive item, like an iPhone 13, that's just waiting to be picked up — be very very wary. Don't download random software from links that show up in text messages, and definitely don't enable unknown sources or unknown apps. 

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.