Flubot Malware has been around for the last number of years, hitting subscribers wave after wave, territory by territory. Operators have been scrambling to shore up their defenses to protect their network and subscribers, as usual the fraudsters are one step ahead – once one door is closed another one opens. The possibility of Flubot Malware being delivered via MMS and RCS has long been discussed in the industry, and low volume test messages have been observed in some waves.
The first persistent wave of Flubot infection via MMS appeared in the middle of April. The MMS content appears very similar to previous waves delivered by SMS. Subscribers receive a message advising of a new message, a recent voicemail message or a package delivery which is due. The URL present in the message redirects the subscriber and advises them to download an app to access the content. The subscriber must give the app many permissions during the download process, which ultimately hands over a huge amount of information and control to the fraudster. The device is then infected with malware and becomes part of a botnet, which can be used to further spread the malware to other unknowing subscribers. The malware is controlled by the fraudsters, and can be called into action at any time.
Operators have been managing Flubot infections to date through Firewall rules on their SMSC’s and deprovisioning the accounts of customers who have infected devices. The latter is a resource intensive activity, and frequently meets resistance from the customer – however it limits the Botnet’s ability to spread and protects the network from a potential DDoS attack.
Until now, the MMS service has not been regularly targeted by Fraudsters as a means of delivering content to subscribers. Because of this, implementation of security measures on the MMS service has not been a priority for Operators. This change of tactics by the Fraudsters will force Operators to reassess this view, as they cannot afford to leave a standard service completely unprotected.
Operators should be able to identify infected devices and deprovision the associated accounts, but this measure is best used in conjunction with other mitigations, not as a sole line of defense.