Police in 11 countries have arrested a mobile phone scam called FluBot that spread worldwide via fake text messages, Dutch and EU police said on Wednesday.
Dutch cybercops led an operation in May targeting the malware, which infects Android phones with texts pretending to be from a packaging company or saying a person has a voicemail waiting.
Hackers would then steal banking information from infected phones, automatically sending messages to other cell phones in the user’s contact list, relaying the scam as a flu virus.
“To date, we have disconnected 10,000 victims from the FluBot network and prevented more than 6.5 million spam text messages,” the Dutch police said in a statement.
The EU police station Europol said FluBot was among “the fastest-distributed mobile malware to date” and “was able to spread like wildfire due to its ability to access an infected smartphone’s contacts”.
Police had made the malware “inactive” but are still looking for the culprits, it said.
“This FluBot infrastructure is now under law enforcement control and ends the destructive spiral,” Europol said.
The countries involved in the investigation were Australia, the United States, Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden, Switzerland, and the Netherlands, coordinated by Europol’s Cybercrime Center.
FluBot became one of the world’s most infamous cyber scams after it first surfaced in December 2020, “wreaking havoc” across the globe, Europol said.
The agency said the bug affected a “large number of devices worldwide”, especially in Europe and the US, with “major incidents” in Spain and Finland.
Australian media last year said FluBot was spreading “like a tsunami”, bombarding some users with texts.
Details of how police picked up the scam remain sketchy, with officials saying they don’t want criminals to know how they picked it up.
The Dutch police said a cybercrime team in the east of the Netherlands disabled FluBot by “intervening and disrupting the criminal process” without giving more details.
Europol said the removal did not involve physical infrastructure such as servers but declined to say more.
“The Dutch police have found another way to disrupt criminal activities,” a Europol spokeswoman told AFP.
But FluBot’s method was simple, according to Europol and the Dutch police.
It would arrive “mainly via a fake text message on behalf of a known parcel delivery service” or say that the user had a voicemail to listen to.
They are then asked to click on a link to download an app from the parcel service to track a parcel or to listen to the voicemail.
But in fact, FluBot would install the malware on their phones. The fake app would then ask for permission to access various other applications.
Hackers can then see their victims enter passwords for banking, credit card, or cryptocurrency apps and steal from them, Europol said.
What made it “very dangerous” was the ability to access a phone’s contact list and then send fake texts to other phones.
The scam only targeted phones running Google’s Android operating system. Apple’s iOS system was not affected.