Cyber safety

Flubot Information

We’re aware of a new and sophisticated text scam making the rounds in New Zealand. The content of the scam message is changing all the time. The scam seeks to install malware on your handset in order to steal personal information.   

Skinny Flubot text message: We've sent a text message to all our mobile customers to warn them about the scam - this message is an FYI and does not have any links to click on. We’re also notifying customers that we believe have downloaded the malware. The message will have been sent from short code, 2450. 

Read on for information and advice on what to do if you’ve received one of these texts or you think you might have downloaded the malware.  

Remember:  If you receive a suspicious looking text message, do not click on any links, download any apps or install any updates.

About Flubot 

Flubot is a malware disguised as an application or update, which if downloaded, can gain access to certain functions on your handset. The malware is mainly being spread by scam text messages, the content of which is evolving quickly – see our screenshots for examples of the content we have seen. .

Android users

The message tries to target Android users and advises customers to click on a link. It will then take you to a webpage where it either asks you to download an app or do an update of some kind.

This is not a genuine text message and downloading any applications or updates will install the Flubot malware on your handset.  

Learn about malware here: https://www.cert.govt.nz/individuals/common-threats/malware/  

iPhone users 

Flubot can't be downloaded and installed on an iPhone.

If you’re an iPhone user, you can still receive the message, however we understand that if you click the link, it will take you to a webpage that asks you for personal information rather than to download an app or update.

Examples of Flubot SMS

How do I identify the Flubot scam text?

The text message will look to have come from a normal New Zealand or Australian mobile number.

The domain name in the link will likely be unfamiliar and unusual.  

There are different versions of the text message and they will continue to evolve to try and trick you into clicking a link and downloading the malware, however the predominant message we are seeing says that you have a package delivery you can track, or you that your delivery failed, and provides a link. Another says that someone has uploaded your pictures and provides a link for you to download your photo album or to download a Voice Message app to chat. The message may also advise that your phone has been accessed and you should click a link to find out more or that you need to do a security update. 

What should I do if I receive the scam text? 

Do not click on the link, or text or call the number back, and do not download any apps that don’t come directly from the Apple or Google app stores.  

Please report the scam by forwarding the text message directly to the DIA on 7726. After that, delete the text message. 

I think I clicked on the link in the scam text, what should I do? 

As long as you didn’t download the app or enter any personal information, you should be fine. Be sure to report the scam text to the DIA on 7726 then delete the text message.  

I’m an Android user and think I downloaded the malware, what should I do? 

If you have a new 'DHL Express Mobile'or a new 'Voicemail' icon on your home screen, the malware has infected your device.

You can also check to see if the malware has infected your handset by: 

1. Running Google Play Protect 

2. Open the Google Play Store app Google Play. 

3. At the top right, tap the profile icon. 

4. Tap Play Protect and then Scan. 

Alternatively installing Android anti-malware apps, by searching for ‘anti malware’ in the Play Store. Please note,these may not detect newer variants of the app. 

If you do have the malware, the safest way to remove it is to perform a factory reset on your handset (this will delete all data on your phone including photos). You should also change the passwords for any applications or accounts you have used while the app has been installed. If you have used these same passwords for any other accounts, then these also need to be changed. 

If you restore from a backup, please ensure the backup was taken prior to installing the app or the app might be reinstalled. 

Remember: You should never download any apps that don’t come directly from the Apple or Google App store. 

Flubot app

You’ve notified me that the Department of Internal Affairs has told you I may have downloaded the malware, how do you know? 

Once the malware is downloaded on someone’s device, they become an ‘infector’, meaning scam texts are now being sent from their number without their knowledge. This is because when Flubot is downloaded, the malware allows scammers to gain access to various functions on someone’s device, including sending text messages from your device. 

The Department of Internal Affairs (DIA) is asking all receivers of the scam SMS to report the message to them by forwarding it to 7726. When they receive a report, they reply asking for the number sending the SMS. Where they receive multiple reports where a scam text has come from the same number, this is a good indication that the handset using the number is infected with Flubot. They then provide each Telco provider with a list of their respective infected mobile numbers.  

I’m an iPhone user and think I have clicked on the link and entered personal information, what should I do?

The Flubot malware can only infect Android users, however iPhone users can still receive the scam text. If you click the link, it will detect you’re using an iPhone and take you to a page where it asks you for personal information.  

If you have entered any personal information, be sure to change your passwords, and if you have entered any credit card details contact your bank immediately. 

How does the Flubot spread itself? 

When Flubot is downloaded, the malware allows scammers to gain access to various functions on your handset, including reading your contact list. This enables it to harvest active contacts and spread the message wider.  

More information for Android users can be found at https://www.cert.govt.nz/individuals/alerts/parcel-delivery-sms-infecting-android-phones/