Mitigating FluBot
David Warburton, principal threat research evangelist with F5 Labs, offers the following suggestions for mitigating FluBot.
Prevent
FluBot relies on tricking the user into downloading a trojan hosted on an attacker-controlled serve r. Android phones will, by default, prevent installation from outside of the Google Play store, though attackers know this and coach the victim into bypassing this restriction. A combined approach, using people and technology, should be taken to mitigate installation of apps from untrusted sources.
First, educate staff members and/or customers that they should rarely, if ever, install Android apps from outside of the Google Play store. They should understand that any message asking them to bypass security for the benefit of installing an app should not be trusted.
Secondly, if managed corporate mobile devices are in use by employees, consider mobile device management (MDM) solutions, which can lock down the ability to install apps from outside of the Google Play store.
It is worth noting that since FluBot is able to capture SMS messages and grab images from the screen, multifactor authentication (MFA) solutions may not prevent the abuse of stolen credentials since one-time passwords can be stolen from the SMS message or viewed on the victim’s screen. MFA solutions which, instead, make use of push notifications to approve login attempts may have some more success in preventing abuse but since FluBot is able to control an Android device using the Accessibility Service, this method may also be inadequate.
Detect
Preventing infection by this kind of trojan can be difficult, if not impossible, for non-corporate or unmanaged devices. It’s therefore critical to be able to identify when stolen credentials are being used by fraudsters and, additionally, detect when automated bots are launching attacks.
Modern application security solutions offer the ability to detect authentication abuse, including credential stuffing attacks. Unlike password brute forcing which can be trivial to mitigate, credential stuffing can be difficult to detect since malicious requests appear quite genuine in nature. Effective solutions should be able to match a supplied password against a list of known stolen credentials and combine this with the ability to detect when requests come from a compromised devices that may be part of a botnet.
Identify
With the ability to fully control the victim’s device and hide incoming SMS messages, it is essential that out-of-band methods are used to alert victims to activity on their account. Using, for example, email to alert the user of a new login or suspicious transaction, may be the only way to reliably inform them of malicious activity on their account.
