S1067: FluBot
FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.[1][2] An international law enforcement operation of 11 countries eventually disrupted the spread of FluBot.[3]
Analyst context for executives and security teams
FluBot matters because it shows how mobile malware can turn an employee or customer Android phone into an identity, fraud, and data-loss problem: SMS phishing is used for delivery, while the related behaviors include stealing SMS and notifications, capturing GUI input, abusing accessibility features, controlling SMS, persisting by resisting removal, and communicating over web/C2 channels. Even though ATT&CK notes that law enforcement disrupted FluBot’s spread, the mapped behaviors remain important control and monitoring requirements for mobile security programs.
Executive priority
Treat this as a mobile identity and fraud-readiness use case, not just a malware label. Leaders should ask whether Android devices that access business email, banking, collaboration, or MFA workflows are governed by mobile device policy, whether SMS-based authentication risk is understood, and whether SOC and IR teams can investigate suspicious mobile permissions, SMS abuse, notification access, and anomalous web traffic. The priority is validating mobile telemetry and response authority before an incident forces decisions about account resets, device isolation, user notification, and evidence collection.
Technical view
For SOC, detection engineering, and IR, FluBot should be modeled around its ATT&CK relationships rather than a single signature. Validate visibility on Android devices for suspicious accessibility-service use, SMS permissions and default SMS-handler changes, notification access, contact and SMS content access, attempts to prevent app removal, disabling or modifying tools, user-evasion behavior, obfuscated payloads, web-protocol C2, asymmetric encrypted communications, DGA-like destination patterns, proxy-through-victim behavior, and exfiltration over C2 channels. Because the official ATT&CK object provides no detection text and no tactics, local detections should be built from device management, mobile threat defense, application inventory, permission state, and network evidence.
Likely telemetry
- Android application inventory and installation source history
- Mobile device management or enterprise mobility management compliance state
- Application permission grants, especially SMS, contacts, notification access, accessibility services, and device administrator privileges
- Default SMS-handler changes and SMS send/receive activity where available
- Notification access and suspicious notification dismissal or one-time-code exposure indicators where available
Detection direction
- Start with control coverage questions: which Android devices are managed, which are allowed to access sensitive services, and which produce usable security telemetry.
- Tune detections for risky permission combinations rather than single permissions alone, such as accessibility plus SMS, contacts, notification access, or device administrator capabilities.
- Correlate SMS phishing reports with new Android app installs, permission grants, and suspicious web-protocol traffic from the same device or account.
- Review alerts involving prevention of application removal or security-tool interference as higher-priority mobile persistence and evasion signals.
- Use network analytics cautiously: FluBot-related behaviors include web protocols, asymmetric cryptography, DGAs, and exfiltration over C2 channels, so domain and traffic anomalies may help, but encrypted mobile traffic can limit content inspection.
Mitigation priorities
- Prioritize managed Android enrollment and policy enforcement for devices accessing business systems.
- Restrict or alert on high-risk mobile permissions and roles, including accessibility services, device administrator privileges, notification access, contacts, and SMS capabilities where business policy permits.
- Reduce reliance on SMS-based authentication for sensitive workflows where feasible, because the mapped behaviors include SMS and notification access.
- Maintain mobile phishing reporting and user education focused on SMS-delivered app-install lures without assuming users can identify every malicious prompt.
- Ensure IR playbooks cover mobile device isolation, app removal challenges, credential reset decisions, MFA re-enrollment, and preservation of available mobile evidence.
Analyst notes and limits
ATT&CK identifies FluBot as Android mobile banking malware first observed in Spain in late 2020, primarily spread through SMS phishing messages in multiple languages across European countries, and later disrupted by an international law-enforcement operation. The decision value for defenders is the mapped behavior set: SMS phishing and control, credential or sensitive-input capture, access to stored app data, SMS messages, contacts, and notifications, abuse of Android accessibility features, persistence and evasion, and C2/exfiltration patterns.
The official ATT&CK detection field is not provided, tactics are not specified, and this summary must not be treated as evidence of current FluBot activity or local exposure. The platform supported by the supplied object is Android. Relationship descriptions include some techniques that also list iOS generally, but the FluBot object itself is Android. Local device-management scope, mobile telemetry, app inventory, and network visibility determine whether these recommendations are actionable.
FluBot
FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.[1][2] An international law enforcement operation of 11 countries eventually disrupted the spread of FluBot.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1582 | SMS Control | FluBot can send SMS phishing messages to other contacts on an infected device.Citationproofpoint_flubot_0421Citationbitdefender_flubot_0524 |
| Mobile | T1637.001 | Domain Generation Algorithms Sub-technique | FluBot can use Domain Generation Algorithms to connect to the C2 server.Citationproofpoint_flubot_0421 |
| Mobile | T1636.003 | Contact List Sub-technique | FluBot has used the contact list to infect more devices.Citationproofpoint_flubot_0421CitationEuropol FluBot Jun2022 |
| Mobile | T1629.003 | Disable or Modify Tools Sub-technique | FluBot can disable Google Play Protect to prevent detection.Citationproofpoint_flubot_0421CitationEuropol FluBot Jun2022 |
| Mobile | T1409 | Stored Application Data | FluBot has collected credentials, banking details and other information from the victim device.CitationEuropol FluBot Jun2022 |
| Mobile | T1406 | Obfuscated Files or Information | FluBot can obfuscated class, string, and method names in newer malware versions.Citationproofpoint_flubot_0421 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | FluBot can add display overlays onto banking apps to capture credit card information.Citationproofpoint_flubot_0421 |
| Mobile | T1660 | Phishing | FluBot has been distributed via malicious links in SMS messages.CitationEuropol FluBot Jun2022 |
| Mobile | T1604 | Proxy Through Victim | FluBot can use a SOCKS proxy to evade C2 IP detection.Citationproofpoint_flubot_0421 |
| Mobile | T1437.001 | Web Protocols Sub-technique | FluBot can use HTTP POST requests on port 80 for communicating with its C2 server.Citationproofpoint_flubot_0421 |
| Mobile | T1628.002 | User Evasion Sub-technique | FluBot can use `locale.getLanguage()` to choose the language for notifications and avoid user detection.Citationproofpoint_flubot_0421 |
| Mobile | T1453 | Abuse Accessibility Features | FluBot abuses accessibility features in three ways: steal application credentials, evade detection and removal, and send SMS for lateral movement.CitationSahinSRLabs_FluBot_Dec2021 |
| Mobile | T1636.004 | SMS Messages Sub-technique | FluBot can intercept SMS messages and USSD messages from Telcom operators.Citationproofpoint_flubot_0421 |
| Mobile | T1646 | Exfiltration Over C2 Channel | FluBot can send contact lists to its C2 server.Citationproofpoint_flubot_0421 |
| Mobile | T1521.002 | Asymmetric Cryptography Sub-technique | FluBot has encrypted C2 message bodies with RSA and encoded them in base64.Citationproofpoint_flubot_0421 |
| Mobile | T1517 | Access Notifications | FluBot can access app notifications.Citationproofpoint_flubot_0421 |
| Mobile | T1629.001 | Prevent Application Removal Sub-technique | FluBot can use Accessibility Services to make removal of the malicious app difficult.Citationbitdefender_flubot_0524 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4578df2da703… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
proofpoint_flubot_0421
Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
Open source URL -
[2]
bitdefender_flubot_0524
Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.
Open source URL -
[3]
Europol FluBot Jun2022
Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.
Open source URL -
[4]
mitre-attack S1067Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.