Flubot case study

Flubot, a large-scale malware scam campaign that targeted mobile devices, emerged in New Zealand in September 2021 after originating in Spain in December 2020. The malware virus was a “trojan-horse” that infected mobile devices via text messages that appeared legitimate. The messages claimed that the recipient had a voicemail or a missed parcel, or that their private images had been accessed. If the link in the text message was clicked, an application was downloaded that infected the device with the Flubot malware. The malware then stole personal information including passwords, banking information, and credit card details, before accessing the phone’s contacts details to further spread the scam.

The campaign resulted in New Zealanders receiving over 944,000 email and text spam notifications. Te Tari Taiwhenua Department of Internal Affairs (DIA) received more than 114,000 text message reports to our 7726 TXT spam report line in nine days. We identified 1,500 unique sender numbers and 94,000 malicious web addresses, or URLs.

In comparison with other large-scale SMS scams within New Zealand, Flubot was substantially more widespread. In the six months the virus persisted for, we received more than 800,000 reports, with at least 700,000 of them being attributed to Flubot. In comparison, DIA averaged 60,000 reports in previous years.

How DIA responded to Flubot

Within three hours of identifying Flubot, DIA set up an emergency response group with CERT NZ, the Telecommunications Forum and mobile network providers to reduce the harm of Flubot. This included reaching out to people whose phones had been compromised, issuing press releases, and using social media channels to deliver advice on how to avoid scams and where to report them.

DIA conducted regular monitoring and analysis of the malware virus to understand how it operated and detect any changes. We responded to 360 incoming queries to the Spam mailbox and made 400+ phone calls to numbers we identified as having been infected by the virus.

Looking forward

An International law enforcement operation consisting of 11 countries and co-ordinated by the Europol European Cybercrime Centre took down Flubot’s infrastructure in May 2022. Although the Flubot infrastructure was taken down and the virus is no longer in operation, its scale and impact demonstrate the importance of anticipating and preparing for new viruses.

Consequently, the lessons learned and relationships strengthened during Flubot will enable us to be better prepared to respond to malware viruses in future.