What does 4

Trojans danger from packet SMS: What to do if you click on the link?

A dangerous wave of phishing is sweeping through Germany. Unlike usual, the lock messages with a link are not sent by e-mail, but by SMS. How should those affected deal with it?

"Your package has been sent. Please review and accept." This slightly bumpy, linked SMS has been circulating since January and sometimes spreads dangerous Android malware called FluBot. Various police authorities in the federal states have been warning urgently against the spam messages for weeks. Most recently, the Federal Office for Information Security (BSI) got involved - and speaks of SMS phishing, or "smishing" for short. Android users are particularly affected.

(Source: Screenshot / t-online)

There are now different variants of the SMS, such as "The gift you bought was sent by express please check http: //....duckdns.org" or "Your package was delivered. Please check and in good time accept. http: //....duckdns.org. Instead of the duckdns.org link, a link from the provider "shortrl.at" or "tinyurl.com" is also used in some variants.

Where did the perpetrators get their phone numbers from?

"In the last seven days we have seen a rapid increase in campaigns in Germany," says Android malware expert Lukas Stefanko from the IT security company Eset. "In addition to fake messages from Fedex, users now also receive similar notifications from DHL and other service providers, among others."

(Source: Screenshot / t-online)

The scam is probably so successful because online trading is booming during the Corona crisis and many users are actually expecting delivery.

In addition, there is the latest data leak on Facebook, which brought millions of cell phone numbers back into circulation. The scammers behind the current wave of spam could also have used this. "The use of such stolen data sets is not uncommon and accelerates the spread of the malicious app enormously," confirms Stefanko. This article explains how you can find out if you are also affected.

Is it dangerous to receive the SMS?

No. If you have received the phishing message and ignored it, you don't have to worry that the malware has already lodged itself on your mobile phone.

The Trojan will not be installed immediately once you click on the link. Instead, users first end up on a phishing page, where they have to initiate the download themselves. The malware is disguised as a parcel app, for example.

In a Twitter video, Stefanko shows that installing the malware completely involves several steps. Users have to grant the app some access rights and adjust their smartphone settings for this.

The download does not work on iPhones - the iOS operating system prevents the installation of apps from external sources. However, there is a risk that iPhone users will also be lured to dubious websites via the wrong package SMS, where they can reveal their access data or fall into subscription traps. So if you get such a short message, it is best to delete it or ignore it.

What damage does the Trojan cause?

According to the BSI, the Android Trojan has been in circulation since around November 2020 and is particularly interested in data entered into banking or trading apps. In addition, the malware wants to access contact data from the address book in order to send further SMS. This means that the packet SMS with the dangerous link spreads like in a pyramid scheme.

Arrests in connection with the spam campaign are said to have already taken place in Spain. Stefanko believes that the danger is far from over: "FluBot seems to be offered in underground forums as malware-as-service," says the malware expert. "The perpetrators seem to have only rented the banking Trojan's infrastructure."

What to do if you have installed the fake app?

Android users who have already received a text message and clicked on the link should pay attention. Especially if you discover masses of SMS sent in your message history or - combined with high accrued costs - on your mobile phone bill.

Because then the probability is high that by tapping the SMS link you have triggered the installation of a Trojan that will now happily send expensive SMS - for example to special and premium numbers or to non-European countries.

Now it is time to act: Those affected should switch their smartphone to flight mode immediately, inform their mobile network provider and let them set up a so-called third-party block. This is the advice of the State Criminal Police Office (LKA) Lower Saxony.

If it is not yet clear whether costs have been incurred, the next step is to check. If, for example, no overview of the current month or the past months is possible in the online customer area, you can ask the provider for a cost statement.

File a complaint and secure evidence

Next, the LKA advises filing a complaint with the local police station. On the one hand, you take your smartphone with you. On the other hand, there are also screenshots or photos of the display and - if available - cost statements.

Only then should the Trojan be removed from the device. To do this, start the smartphone in safe mode. How this works differs from device to device. The correct key combination can usually be found on the manufacturer's support website.

Searching for clues in Safe Mode

In safe mode, you are looking for those apps that were last and not consciously installed yourself. Remove these apps and restart the smartphone. In the worst case, only resetting to the delivery state helps.

Before doing this, do not forget to back up the data on the device in an online storage (cloud) or on a memory card. Then go to the "Reset" item in the settings and then select the item called "Delivery status (delete all data)" or something similar.

Caution: consider the boomerang effect

Anyone who then wants to restore their data from a cloud backup to the device should make sure that there are no apps among them. Otherwise you would have the Trojan on your smartphone again, warn the experts. Instead, you download missing apps individually from Google's Play Store.

To prevent such attacks, you should deactivate all slide switches in the settings under "Security / Installations from unknown sources". Android banners that warn of apps from unknown sources are better taken seriously.

What about the bill?

Important: Contact the provider at an early stage and file evidence and report to the police. Then consumers do not have to pay the part of the mobile phone bill caused by the Trojan. The Telecommunications Act (TKG) protects them from this.

Because in the TKG (Paragraph 45i Paragraph 4) it says: "Insofar as the subscriber proves that the use of the provider's services cannot be attributed to him, the provider has no claim to remuneration from the subscriber. The claim also does not apply if the facts Justify the assumption that third parties have influenced the connection fee charged by unauthorized changes to public telecommunications networks. "

How to protect yourself from spam SMS

Some smartphones already have a built-in spam filter for SMS. Users can activate or deactivate spam protection in the settings of the Messages app. On iPhones there is also the option to block messages from unknown numbers.

more on the subject

  • Subjects:
  • Digital,
  • Technology,
  • Internet,
  • Computer,
  • Post,
  • Packages,
  • Smartphones,
  • Android,
  • SMS,
  • Short messages,
  • Malware,
  • Trojans,
  • Phishing