The year 2021 began with SMS text messages sent, supposedly, by Correos that reminded us that "your shipment is on its way" and Using as a decoy that a package or letter was reaching us, it sent its users to access a link. On the destination website, the so-called Post Office urged us that to track a pending shipment, we had to download an Android application. And there a malicious apk file was downloaded, called Correos.apk or Correos-3.apk.
Since then, this pattern has been repeated with DHL and Fedex, two other courier giants operating in Spain. East scam malware via SMS was christened Flubot and now he's back, this time with MRW. You have to be attentive because it is not a joke what you are achieving: at the beginning of March the Swiss company PRODAFT estimated that more than 60,000 Android terminals had been infected and 11 million phone numbers stolen. The last figure represents 25% of the inhabitants of Spain.
Malware Hunter Team reported on his Twitter having discovered these codes:
"mrw-1.apk": 8ad776c24baffce19f92e00714f79703 limitada7319b1255cf6a4c6f888d661eb0f4
The shipment has been returned
Josep Albors, malware hunter and security evangelist, as featured on his Twitter, showed an example of how it is this new case of pshishing. You receive an SMS on your phone that tells you: ": The shipment has been returned twice to the nearest center code:" (Those two extra points that do not mean anything and the lack of accents or commas are the exact way in which the SMS appears). After saying "code:" a combination of letters and numbers and a link appear.
If you access the link, you arrive at a website with the MRW logo, a link on an orange box that asks you download an application to give you information and another link that says tell you how you can install it. And it gives some instructions so that you can download that link well that they want you to download and that will supposedly tell you where the nearby offices are where you can pick up that package.
What can Flubot achieve and how to remove it
Although it is still necessary to know more in depth what MRW could achieve, it is known that those who are behind Flubot They are able to access our device and our bank accounts until we reach the point of withdrawing money from them without the affected users being able to perceive it.
PRODAFT, who investigated the impact of the campaigns of the other courier companies, could see in the control panel that, despite its simplistic vision, this malware fIt is capable of handling tens of thousands of connections to infected devices "without any performance issues".
Remember that this infection already has a solution. In mid-March, Linuxct, an Android security expert developer, launched on the Play Store FluBot Malware Uninstall, a small utility that claims to uninstall Flubot malware of Android smartphones in just a few steps. This is relevant because given the permissions that the victims granted, it was not easy to uninstall it manually.
Instead of launching a common application, which Flubot could control and avoid, the developer of FluBot Malware Uninstall has designed it as an Android launcher. Thus, when Flubot controls the terminal by tapping to return to Start when it detects that it wants to uninstall, what it does is take us to the malware uninstaller itself.