Android/Flubot: preparing for a new campaign?

Update March 29, 2021: a new campaign is confirmed, in Hungary. See this tweet. It looks like the version 3.7 I analyzed wasn’t totally finished, because in the one I analyze, the campaign number nor the DGA haven’t been updated, while the tweet shows a version 3.7 where all modifications have been made.

March 29, 2nd update: this is moving rapidly, version 3.8 is already out: see here.

Since Friday (March 26, 2021), Android/Flubot is propagating a new version, v3.7. For reminder, Android/Flubot is an Android banking malware, which surfaced in November 2020. In short, the malware abuses yet and again Android’s Accessibility Services. For example, to disable Play Protect, or display overlay windows to grab credit card info. But it also abuses the Accessibility Services for features I had not seen in other malware before like automatically accepting to send SMS messages. Read this excellent analysis from Prodaft for more details. I won’t repeat what’s in the report and only focus on differences.

New version 3.7 is currently distributing!

The list of APK distribution domains is long (see at the end of this article in section “IoCs”) and changes frequently. The websites check the browser’s user agent matches an Android platform, and won’t respond to other platforms (i.e you have to append a fake Android user agent to get the pages). The served page is the same as in Prodaft’s report, except we currently view the German campaign.

Several of these domains currently serve an APK sha256 e4d70de608d9491119bacd0729a5a2f55ce477227bd7b55d88fa2086486e886d which an even more recent version of Flubot. This sample is packed (like others) and is a new version, 3.7, of Flubot.

What’s new in v3.7?

Actually, close to nothing both in the code and obfuscated strings. Reminder: strings are obfuscated using “paranoid” Java library. You can de-obfuscate all strings of v3.6 and v3.7 with my stand-alone source code.

The only difference lies in preparing support for the hungarian language.

Does this mean the next campaign of Flubot is going to target Hungarian end-users? It’s quite uncertain currently, especially because although the HU_TEXT entry is present, hungarian strings haven’t been added yet, and the rest of the code does not support .hu locale. In addition, the campaign indicator ProgConfig.CAMP_NUM_PREF is still set to Germany (49).

Take away summary

  • Because of string obfuscation, the obfuscated chunks change for each version of Flubot. However, the de-obfuscated content is very similar. Actually, the only notable change in 3.7 looks like preparation for support of the hungarian language. Yet, the current campaign still targets german speaking end-users.
  • You can watch a video of Flubot in action (see beginning of article). The communication flow with the C&C thanks to a Frida hook which displays text before encryption.
  • If you wish to work on Flubot, several scripts (obfuscation, domain name generation, Frida hooks) are available: see References below
  • An updated list of active C&Cs and distribution hosts is provided in Appendix.

References

IoCs

List of active C&Cs:

Both domains have changed since Prodaft’s report and currently go to the following (March 26, 2021):

List of APK distribution domains:

— Cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.