The Belgian government reports that a malicious SMS impersonating the Belgian postal service has compromised at least 9000 android phones.
Smishing is a social engineering attack using SMS. In this smishing attack the recipients were instructed to visit a link regarding a postal package in transit. The hyperlink directs the user to a URL containing a fake Belgian Post app containing the FluBot-malware.
FluBot is a banking Trojan that attempts to steal data to commit banking fraud. After installation FluBot is able to intercept and send SMS, read the contacts list, call phone numbers and disable Google Play Protect.
“At least 9000 users clicked on their smartphone on the link and downloaded the app. Their device is infected with a dangerous virus that causes a lot of damage and spreads to the contacts of the victim”Belgian Federal Cyber Emergency Team.
- Never install a mobile app from a link in a SMS. Postal services will usually provide you with a tracking code that you can enter after browsing to their website.
- On Android don’t install apps from unknown sources. Only use the official Play Store.
- Always keep your smartphone OS up to date with the latest patches.
- If compromised reset your device to factory standards. Note that this will result in loss of all data on the device.
Recommendations for businesses
Smishing can catch your employees off guard, even those who are usually very cautious of phishing emails. Smishing is more than just a change in the delivery system for phishing purposes, it also requires different training to make people aware. Our Phishmanager platform offers both Smishing training for your employees and also Simulated Smishing so your employees are tested in practice on what they learned. Partnering up with platforms like PhishManager is a great way to prevent employees from falling for actual phishing/smishing attacks that could have large repercussions for your business.
PhishManager helps businesses increase their defenses against phishing attacks. Our service uses on-demand training and “simulated phishing” to train your staff to recognize and report suspicious emails. By helping your staff attain practical security awareness skills, we also give you insights into the risk profile of your business and significantly lower the chances of compromise by cyber criminals.