Deep Analysis of the Flubot Malware | My Assignment Tutor

Deep Analysis of the Flubot Malware Table of Contents 1. Summary 3 2. Introduction 3 3. Background 5 4. Research Focus 6 Research Problem 6 Research Question 7 Research Aim 7 5. Research Methodology 7 6. Proposed Contribution to Science 8 7. Literature Review 9 8. Conclusion 12 9. Recommendation 12 10. References 13 Summary The behavior analysis means to understand the behavior of some individual which helps the user to study about all the biological, experimental and the pharmacological factors which are related to both the human and the non-humans. This helps to highly and accurately manage the semantics of any kind of API calls that are created by the users. This paper includes information related to the flubot analysis and dynamic analysis that can be used for behavior analysis. Different research-oriented topics are discussed such as research problems, research questions and the aim of the research. The report also consists of the proposed contribution of the research paper to the field of science and the significance of its results. The literature review section includes the research which has also been carried out related to the research paper. And finally, the report is concluded by including the recommendation for the research paper. Introduction Malicious Software or Malware is an umbrella term that portrays any malicious code or program that is destructive or harmful to computer/mobile systems. Intrusive, Hostile and purposefully dreadful malware seeks to invade, harm or disable computers, systems, mobile devices, tablets, networks, often by assuming fractional control over a device’s operations. Similar to human flu, it meddles with normal functioning. (Malwarebytes, 2021) The thought process behind malware differs. Malware can be used to make money, sabotage work, make a political statement, or simply to boast. In spite of the fact that malware can’t harm the actual physical hardware of the computer system or network equipment, it is able to encrypt, steal, alter or delete data, seize central computing functions, and spy on all different computer activities without your consent or insight. Malware can access your system in two most common ways which are the Internet and email. So fundamentally, whenever you’re connected on the web, you are vulnerable. Malware can enter your computer system or mobile system through SMS text containing online link, surfing through hacked sites, genuine webpage serving malicious ads, downloading infected files, installing unfamiliar programs or apps, opening malicious email attachment or practically all the other things you download from the web on to your system that doesn’t have quality malware security software. Malicious applications can hide in apparently genuine applications, particularly when they are downloaded from sites or direct links (email, text, talk message) rather than official app store. So, it is really important to gander at the warning messages, particularly in the event that they ask for authorization to access your email or other individual data from you. FluBot is another such malware. FluBot is the name of a malicious program that is targeting mainly targeting smartphones through malicious text SMS. Cybercriminals convey FluBot by means of SMS messages, which they send in various languages as per targeted region with links to download sites for a phony app. This malware is found out to be targeting mainly android mobile devices to steal personal data of users. The link on the SMS text downloads a malicious APK file which is designed to be installed in the mobile device. Figure 1: Mobile Malware (Meskauskas, 2021) Background As referenced, cybercriminals disperse FluBot by means of SMS messages. They send messages (in various languages) as per region and target audience containing temping content such as fake delivery shipment tracking, government message etc. which is designed to download an APK file, which has comparative appearance to some genuine application installer. During installation, the phony application (FluBot malicious app) requests for different permissions in the mobile device. For instance, to read contacts, compose, read and send SMS messages, read the mobile phone state, keep the mobile device awake, make notifications and post them utilizing startForeground function, start calls without going through the Dialer UI, Erase packages, permit querying of any typical application introduced on the device, and permit applications to open network sockets. Flubot is able to receive commands via a command and Control server, this includes commands to uninstall apps, block cards, transfer SMS messages, open URLs (web address), extract user’s contact list to the hacker, incapacitate google play protect, and various other user’s commands. FluBot is primarily a banking malware that focuses on clients in various nations. Lately, FluBot has been very active in Australia as we can see people receiving malicious SMS texts. One way that the malware utilizes to steal delicate information is by showing windows requesting to provide bank card details. Along these lines, cybercriminals are able to use FluBot to trick mobile phone users into giving delicate data that could to utilized to steal identities, do fraudulent online purchases and exchanges, and so on. They may likewise utilize it to extract other personal information such as login credentials, usernames, passwords etc. (Meskauskas, 2021). Figure 2: FluBot Malware details (Meskauskas, 2021) Research Focus Research Problem Android mobile operating system dominates the global mobile operating system market with the market share of around 73% (“Statista,” 2021), which makes the android operating system more lucrative to attackers. Due to android being an open source and its market share, we can see many malwares particularly targeted at android users. At the time of writing, this particular malware ”Flubot” is also targeted to android users only. This malware starts as a plain text message, disguising the voicemail company or delivery company and has the link to access voicemail / track the package. When the victim clicks on the link then it downloads the malicious app disguised as a voicemail company or delivery company. Android lets users install the applications from outside the play store (Google’s authorized market store) whereas the Apple system does not provide that permission to the user. Now once the malware is installed in the phone, it asks for different permission which also includes accessibility permission. Attackers take advantage of this liberty of the android system, where users are to make the security decisions for the device and most of the users are not capable of making this decision by themselves (MacDuffie and Morreale, 2016) . Flubot malware is currently circulating in Australia now. This research paper focuses on ‘flubot’ malware and its properties. Research Question This research paper is to analyze the FluBot malware. We will try to understand the motivation behind the malware and the architecture behind it. Also, we will study how this malware is using the android system to infect other users and make them huge super-spreader. One other case that interests me is how the telecom companies, despite knowing the malware, are not successful in stopping it from spreading. Research Aim We aim to reverse engineer the malware using sandbox or any other decompiler. As this malware uses the C&C (command and control) server to communicate and upload the contacts and other sensitive details, we will also try to understand the mechanism behind it. This malware is also being updated by the attackers and the studies of the updates will also be performed. In short, we will do dynamic analysis of this malware and might do some small statistical analysis as well. Also, we aim to provide some prevention measures for this malware or any malware with similar attributes. We will also try to provide some information about being vigilant of such malware and how it can be avoided. Research Methodology The Flubot has affected globally although it is still in the earlier stage in Australia. Nevertheless, it has already reached over 100,000 people since August 4. Over 5500 cases of Flubot have been reported to Scamwatch although TPG blocked 14m scam SMS in a single week. The Flubot can bypass the existing security models and spread rapidly. The risk of being victim of the Flubot is higher if it is not disarmed as early as possible. The most existing solutions are unable to detect the Flubot because of its sophisticated method of propagation with DGA approach. The research is ongoing however, not much of its details can be found. Therefore, this research aims to study, analyse, and monitor the activities of the Flubot so that the malicious activities can be prevented, and the security can be restored to normalcy. Our research aims to combine a variety of methods. We will first analyse how the Flubot has emerged, what devices are affected and how it is evolving and bypassing the existing security mechanisms. We will reverse engineer the Flubot and perform static and dynamic analysis. The research will be completed in the following stages. Data analysis: We will continue to monitor the characteristics and the impact of the Flubot. The factual data will be updated from various sources like Scamwatch. We will further analyse what devices are affected, how the malware is being transmitted, who are targeted (race, gender, ethnicity, etc.), who have been successfully victimised, what impacts have been done (information or monetary loss), etc. We will try to reach the authorities or refer to official websites for these data. Reverse engineering: Cybercriminals are motivated, skilled, organised and well equipped with various intrusion techniques. By reverse-engineering the malware, we will understand their techniques and objectives that can be useful in preventing such attacks in future. We will do the reverse engineering of the Malware by using open-source online tools. Static Analysis: The Flubot will be decompiled and analysed without running it. Dynamic Analysis: We will run the malware in the sandbox and emulators so that the behaviour (system calls) and the effects can be observed safely. We will also use other open-source tools to broaden the area of our research. We will try to examine the effectiveness and weaknesses of the current security solutions. Network Analysis: We target to use Wireshark to analyse the network protocol and learn how the malware interacts with other machines. I.e., what connections are made and what data are sent. Wireshark captures all the data that enables deep inspection of numerous protocols. We can narrow down to the specific traffic by filtering the logs and analyse those packets. AI Models: We will also review some of the novel AI models with the state-of-the art performances and try to analyse their effectiveness in detecting the Flubot. Proposed Contribution to Science At the current rate of propagation, the Flubot will storm the whole community if it is not cared early. We will provide a comprehensive analysis of the Flubot’s emergence and evolution, features, targeted devices and impacts. Our research will focus on security, privacy and safety and provide a complete solution to neutralise the Flubot’s effectiveness. The comprehensive report will raise awareness in the community and promotes a better security culture by encouraging people to perform as a first line of defence. Our analysis and review of several AI modes will help to identify the novel model used for malware detection. The use of model will strengthen the effectiveness of anti-malware application in Android devices. Literature Review St1: In this era of digitalization, we use smartphones and computers to obtain information, create, communicate, and update our social profiles. While we are being more accustomed to technology, we are also storing a plethora of data identifying ourselves into our computers and phones. With smart phones being more accessible and cheaper, its users have increased significantly from 3.6 billion in 2016 to 6.3 billion in 2021 (“Smartphone users 2026,” 2021). As the use of smartphones has grown exponentially, hackers / attackers are now targeting smartphone users because of huge personal and business information being stored on it. 1.4 million malicious application installation packages are found on smartphones worldwide only in Q1(first quarter) of 2021 (Joseph Johnson, 2021), which shows how vulnerable the smartphones are and how attackers are constantly trying to attack smartphones to access the data. Apple’s iOS and Android mobile OS are the most widely used smartphone operating system in the world. Both operating systems have their own curated application market to protect their users, however with Android users can install the application from outside the google play store as well. Also, recent study has found that Google’s own play store is responsible for 67% of total malicious app installs and 10% came from alternative application markets (Kotzias et al., 2020). “In Android, app installations typically happen via the official and alternative markets, but also via other smaller and less understood alternative distribution vectors such as Web downloads, pay-per-install (PPI) services, backup restoration, bloatware, and IM tools” (Kotzias et al., 2020). Web downloads of the applications are rare but most dangerous and malwares usually use this methodology to enter the victim’s smartphone. Student2: Around the end of 2020 and the beginning of the year 2021, there was sharp increase in various fraudulent SMS campaigns. The FluBot malware gave notification of a package spoofing different kinds of companies, such as DHL or FedEx. The receiver of the malicious SMS text message was invited to install an application on their mobile device to track the item or discover the package’s location. After study of 3 different samples associated with these kinds of campaigns, the malware was identified as FluBot. This name as given to this malware because of its ability to spread as if it were a human influenza virus. In other regions, it is also known by names Fedex Banker or Cabassous. According to various forensics and investigations carried out by Swiss company PRODAFT, more than sixty thousand terminals may have been infected. And some eleven million telephone numbers may have been listed which is around 25% of Spain’s population. (FluBot, 2021) In regards to the malicious code’s functionality, the malicious app is able to track the identifiers of all the apps on the mobile device it starts and is able to inject superimposed pages when it detects a login of a session of the targe application once the malicious app is installed on the user’s phone. The user may think that they are inputting the credentials on the original website, whereas they are sending the data to the command and control (C2) controlled by the proprietor of the malicious app. Student3: Amir Aflantan, Salman Niketan, David Baptiste in 2020 proposed an article called Dynamic Analysis Evasion Techniques: A Survey which states that the current cyber world is infected with the malwares and then they are readily infiltrated with all the defense mechanisms and different vicious activity are performed by the users which are impacting the life of other peoples (Afianian, et al., 2020). This kind of understanding is pursued with the help of dynamic analysis which is conducted by the help of the sandbox which can be both manual and automatic. The comprehensive survey of the malware activity is performed using different kind of the dynamic evasion techniques and some detailed classifications are used to demonstrate how the works are efficiently performed to hold the technique of the organization. The primary tactic of the malware is the fingerprints which can be used in order to reverse the trend of the Turing test as well. Accordingly, to that, it is also important to peruse the generic defensive strategies which help for the path exploration techniques which can have potentiality to mitigate all the attacks related to the actions called in the system. The efficiency of the system holds different kinds of analysis approaches of the system, and it helps to evade the sandbox as well. The beginning of the reactive methods to the endeavours for the transplant analysis of the system from the readily foiled system to zero. There are advanced diverse techniques which can be used for the current defensive strategies as well. This article therefore helps to give a proper demonstration of how the overall workflow of the system is being utilized and performed in the system. Student4: Android is a flexible operating system with many user-friendly features. It is supported by Google as an open-source software. Android can run the applications written in Java too. The libraries and records are compressed as a file which can run only in the devices with Android OS. Android has gained more popularity and have been widely used due to its flexibility. However, this feature allows the developer with ill intent to create malicious application to perform cyber-attacks. As such, with the advancement in the technology, the Android device security are violated by novel malware attacks that are harder to detect and challenging to defeat (Javed et al., 2020). Smartphones are used to store and process user information in various forms like text, documents, images and videos besides makings the calls. These confidential user data in flexible Android phones makes them a lucrative target for cybercriminals and hack those information (Abuthawabeh & Mahmoud, 2019). The security researchers are alarmed by the increasing number of malware existence in Android devices. These malwares propagate mainly due to installation of third-party applications. Researches have been conducted and strict security measures have been enforced but still the sophisticated malware can bypass them. Nishimoto et al. introduced the method of analysing the API calls as dataset features to check whether the application is malicious (Nishimoto et al., 2013). The effectiveness of using such features influenced Chan & Chan for further research (Chan & Song, 2014). They introduced a list of 19 API calls and permission to identify the Malware. As malware remains evolving and the traditional methods could not effectively detect the new versions of malware, the researchers proposed a combined use of multiple features. For instance, Taheri et al. enhanced the performance of malware classification by using static features of permissions and intents, as well as Dynamic features of API calls (Taheri et al., 2019). However, although several research studies proposed the use of multiple features like permissions, intents and API calls, Flubot alike sophisticated malware are continuously evolving and succeeding to penetrate the well-guarded networks. This confirms the call for more research in this area. Conclusion Finally, the malware uses the concept of accessibility which helps to perform different kinds of activities such as the use of the overlay attack, targeted name of the packages exists in the triggered event as well. The screen text is taken from the flubot and the activity in the browser gets started and up and running. An overlay is created which also helps with the accessibility of the system. The sandbox is also important as it ideally helps to create an environment for the IoT botnet and their samples which helps to exhibit the bad behavior of the organization. The C&C servers’ connection are also established which helps to share the common libraries for the dynamic files and the folders and wide range of the CPU are also used for it. There the use of the flubot can help for the analysis of different API calls and the use of the sandbox can be used for the purpose of the dynamic analysis of the system. So, this can be used in order to maintain the overall working of the system. Recommendation Some of the recommendation for the research paper to be implemented in the organization are, there are different method which can be employed in the study for the purpose of the behavior analysis like the individual should be creating the baseline and look for the different deviation that can possibly occur during the behavior state of any kind of the people. The expected result out of this is that the researchers can identify the future data using the help of the previously analyzed behavior of the users. On the other hand, Flubot analysis using API calls is done so that it helps to identify the possible malware from the system. The studies are based upon the different kinds of API calls which help to detect the different features and then the malware can be extracted so that no viruses are created from the system. References Abuthawabeh, M. K. A., & Mahmoud, K. W. (2019). Android malware detection and categorization based on conversation-level network traffic features. Proceedings – 2019 International Arab Conference on Information Technology, ACIT 2019, 42–47. Afianian, A., Niksefat, S., Sadeghiyan, B. & Baptiste, D., January 2020. Malware Dynamic Analysis Evasion Techniques: A Survey. Association for Computing Machinery. Chan, P. P. K., & Song, W. K. (2014). Static detection of Android malware by using permissions and API calls. Proceedings – International Conference on Machine Learning and Cybernetics, 1, 82–87. 2021. [online] Available at: [Accessed 29 August 2021]. Javed, A. R., Beg, M. O., Asim, M., Baker, T., & Al-Bayatti, A. H. (2020). AlphaLogger: detecting motion-based side-channel attack using smartphone keystrokes. Journal of Ambient Intelligence and Humanized Computing, 0123456789. Joseph Johnson, 2021. Volume of detected mobile malware packages 2021 [WWW Document]. Statista. URL (accessed 8.28.21). Kotzias, P., Caballero, J., Bilge, L., 2020. How Did That Get In My Phone? Unwanted App Distribution on Android Devices. ArXiv201010088 Cs. Le, H.-V. & Ngo, Q.-D., August 2020. V-Sandbox for Dynamic Analysis IoT Botnet. IEEE. MacDuffie, J.K., Morreale, P.A., 2016. Comparing Android App Permissions, in: Marcus, A. (Ed.), Design, User Experience, and Usability: Technological Contexts. Springer International Publishing, Cham, pp. 57–64. 2021. What is malware? Definition and how to tell if you’re infected | Malwarebytes. [online] Available at: [Accessed 29 August 2021]. Meskauskas, T., 2021. How to remove FluBot Malware (Android) – virus removal instructions (updated). [online] Available at: [Accessed 29 August 2021]. Mobile OS market share 2021 | Statista [WWW Document], 2021. URL (accessed 8.28.21). Nishimoto, Y., Kajiwara, N., Matsumoto, S., Hori, Y., & Sakurai, K. (2013). Detection of android API call using logging mechanism within android framework. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, 127 LNICST, 393–404. Smartphone users 2026 [WWW Document], 2021. . Statista. URL (accessed 8.28.21). Taheri, L., Kadir, A. F. A., & Lashkari, A. H. (2019). Extensible android malware detection and family classification using network-flows and API-calls. Proceedings – International Carnahan Conference on Security Technology, 2019-October(Cic).