NCSC publishes list of domain names used by FluBot

The National Cyber ​​Security Center (NCSC) has posted a list on GitHub with the domain names that FluBot uses to make victims. These are websites that use version 4.6 and earlier of this malware. Organizations can use this list to detect and block infections.

Tens of thousands of Dutch victims of FluBot

FluBot is a malicious application that infects Android smartphones with malware and then steals various financial and personal information from users. The first reports about this rogue app, which has all the characteristics of a Trojan horse, surfaced last month. Then a text message went around saying that a package was on its way to the recipient. To see when the package would be delivered, users were asked to download an application.

Whoever tapped the attached link in the text message landed on a page where the infamous app could be downloaded. Unsuspecting victims installed the app on their smartphone. Once on their device, the app did nothing at all. Or so it seemed: you couldn’t open it to track your package. In the background, the app stole personal data and checked if you had any cryptocurrency apps.

That’s not all FluBot did. If you transferred money to, for example, an acquaintance or friend, the app changed the bank account number and the amount. Victims discovered this after the transaction had taken place. At the time of writing, FluBot has already made tens of thousands of victims in the Netherlands. The malware is able to spread at a rapid rate as it collects mobile numbers of victims’ contacts.

Domain names from Russia and China

The Ministry of Economic Affairs and Climate, the National Police, the Fraud Helpdesk, KPN and cybersecurity company ThreatFabric warned Android users about FluBot last month. Because the malware can send text messages unnoticed, it is possible that your telephone bill is much higher than normal, according to KPN. The Fraud Helpdesk advised against opening URLs in a message if you do not know or trust the sender.

The National Cyber ​​Security Center (NCSC) is now also contributing. The cybersecurity advisory has published a list of domain names used by FluBot on the developer platform GitHub. These are domain names that use version 4.6 and older of the malware to communicate with the Command & Control server. The NCSC says companies and organizations can use this list to prevent cellphones from being infected and “take action where necessary.”

On the NCSC list, we find thousands of domain names mainly from Russia and China (.ru, .su and .cn).

This is what you need to do if you have FluBot installed on your smartphone

Have you accidentally installed FluBot on your mobile phone? If you act quickly, it doesn’t have to be a disaster. The first thing to do is to back up the most important files and data on your phone. Then you go back to the factory settings. How this should be done differs per Android device. For modern Samsung phones, go to  Settings > General management > Reset > Factory reset.

It is also a good idea to warn your contacts. Chances are they received a fake message to install FluBot. Last month, the Belgian Institute for Postal Services and Telecommunications (BIPT) advised you to change passwords for online services and applications if you have recently logged in there. If you use the same password for multiple services, it is smart to change this as well. Do you struggle to come up with and remember strong passwords? Then use a password manager. has listed the best password managers of 2021  for you.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts