The notorious FluBot Android banking Trojan has a new, grimly amusing trick up its sleeve: It tries to fool you into downloading a fake "security update" by warning you about ... FluBot itself.
"Your device is infected with the FluBot malware," reads a stark red screen that you'll see if you click on a link in a text message. "Android has detected that your device has been infected."
- Your Apple Pay money can be stolen over the air — here's what to do
- The best Android antivirus apps
- Plus: Samsung Galaxy S22 vs. Phone 13: Can Samsung beat Apple?
In fact, your device has NOT been infected yet. But it will be if you do what the message suggests: "You must install an Android security update to remove FluBot."
The actual warning about this fake warning came last week from New Zealand's Computer Emergency Response Team (opens in new tab) (CERT NZ), a government agency that alerts citizens and enterprises about cybersecurity threats. (Many countries have a CERT; the U.S. somehow has two.)
If you are seeing this page, it does not mean you are infected with Flubot however if you follow the false instructions from this page, it WILL infect your device. https://t.co/KrcPhCQB90September 30, 2021
When last we checked in on FluBot, it lured you in with a text message telling you about a problem with a package delivery. A link in the message you to a bogus page that said you had to download and fill out a form to get your package. You'd be infected you with FluBot if you followed the instructions.
You may still get that package-delivery notice, said CERT NZ, which led off with a tweet about the new variant and then followed up with a blog post (opens in new tab). Or you might be texted a bogus warning that naughty photos of you had been put online.
Sometimes you'll get an image of a friendly young woman holding a package with the traditional "application form" to download and fill out. Sometimes you'll get the scary image below. (We appreciate the humor of putting a registered-trademark symbol next to the name of the malware.)
How to avoid being infected by FluBot
"The malicious app will only infect your phone if [you] click the link AND download the app," CERT NZ's blog post said. "Receiving the text does not mean you are infected. Apple phones can receive the message but cannot be infected."
That's very true. So are two statements in the bogus FluBot warning screen itself.
"FluBot is an Android spyware that aims to steal financial-login and password data from your device," it states. If you have trouble installing the fake "Android security update," then you need to "select 'Settings' and enable the installation of unknown apps."
That's because by default, Google-provisioned Android phones will install apps only from the official Google Play Store unless the user overrides those settings. That's what the fake warning/real FluBot wants you to do. Don't do it.
Instead, make sure the default app-loading settings are on. In Android 8 or later, go to Settings > Apps > Special access > Install unknown apps, and then make sure that "Not allowed" is next to each app name. If you see an "Allowed", tap on the app and toggle off the switch.
In Android 7 or earlier, go to Settings > Security (or Lockscreen and Security), where you'll see an entry labeled "Unknown sources." Make sure it's toggled off.
You'll also want to be running one of the best Android antivirus apps. FluBot has been around for most of 2021, so most antivirus apps will recognize and block it right away.
FluBot first appeared in Spain in early 2021, spread to other European countries and now is expanding worldwide.
If you get an SMS text message that a package is waiting for you — or especially if you get a text that seems to be about an expensive item, like an iPhone 13, that's just waiting to be picked up — be very very wary. Don't download random software from links that show up in text messages, and definitely don't enable unknown sources or unknown apps.