Widespread Reporting of Flubot ‘Takedown’ Shows How Little We Really Know

Two weeks ago there was a surge of media reports about the ‘takedown’ of Flubot malware by European police forces. It is good to learn of law enforcement agencies tackling a virulent strain of phone malware that is spread by SMS, but what did the police actually do? None of the many journalists who covered the story offered any answers to that question. They just shuffled the words of an exceptionally thin Europol press release without seemingly noticing that the news consisted of one statement repeated in three different ways:

[Flubot’s] infrastructure was successfully disrupted earlier in May by the Dutch Police (Politie)…

This FluBot infrastructure is now under the control of law enforcement…

With cases spreading across Europe and Australia, international police cooperation was central in taking down the FluBot criminal infrastructure.

No detail was given about the infrastructure. Nothing was said about how it was taken down or how control was assumed by the police. No mention was made of servers or where they were located, except the implication they fell within Dutch jurisdiction. No reference was made to any cloud-computing platforms that might have been used by the criminals. There was no talk about domains or IP addresses used by the criminals. And not one person has been arrested. The only piece of news in this news release is so vague that we have no specifics about what the police did or how they did it. Some journalists wrote that Flubot had been ‘squashed’, ‘shut down’ or ‘busted’ but they might as well have copied Europol’s press release word-for-word because they had no additional insight to offer.

It is normal for journalists to engage in a degree of copy-and-paste when writing their stories. A public relations scribe writes several paragraphs of positive news about their organization’s successes in the expectation that a few hundred journalists will then draw attention to this news after rearranging the words with the help of a thesaurus. However, we should not simply accept this as being consistent with what was previously said about the seriousness of Flubot. Security business BitSight said they identified 1.3mn IPs used by infected Android devices since it was first identified in the wild in early 2020. Whenever there was an outbreak of Flubot messages, telcos and news organizations would respond by issuing a series of warnings about the importance of not clicking on links in SMS messages. Citizens pay taxes so the police can protect them from crime but nobody seems to be asking if police forces do enough to deter crimes of this nature. We take it as normal that Europol can issue a press release effectively boasting about what they have done, even though it says hardly anything about what they have done. When it comes to prosecuting those responsible, they can only say:

The investigation is ongoing to identify the individuals behind this global malware campaign.

Cyberspace can be hard to navigate, but servers are physical objects. Somebody purchased the servers used to command and control each instance of Flubot installed on victims’ phones. Somebody owned the buildings in which those servers were located. Somebody paid for the electricity they used, or else rigged the supply of electricity so they could steal it from somebody else. Let us hope the investigation makes urgent progress in locating the people who were behind the infrastructure so they are soon locked up. But perhaps they will never face punishment, because there are governments which allow hackers to act with impunity if their attacks only target victims overseas.

The majority of journalists failed to notice that the reported ‘takedown’ will not prevent the architects of this crime from setting up new servers to spread the same malware again. Europol implied Flubot itself has been taken down. It has not. Malware does not stop existing just because you seized computers that were used to command and control the malware. Other computers can take on the same role for the same malware. Flubot was repeatedly adapted to overcome countermeasures; it can be adapted again. And whilst there may be strategies which could prevent the spread of Flubot in future, such as a zero-trust approach to allowing hyperlinks in SMS messages, those strategies have not been widely pursued in practice. Flubot remains a risk, despite claims to the contrary.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.