Missed call, voicemail and package collection SMS virus (Flubot)

Since August 2021, many Australians have been receiving scam text messages about missed calls or voicemails. Recently the text appears to be from DHL advising you have a package to collect.

The text messages are fake and ask you to tap on a link. The link downloads an app which launches malicious software called Flubot on your device.

If you receive one of these messages, do not click or tap on the link. Delete the message immediately.

What the scam messages look like

The DHL message looks like this:

  • The delivery time for your parcel is 03/09. Check out your options: http://example.com/g.php?l2r54ya alfal
  • Your DHL order ID1842225 will arrive soon. Track progress here
  • Your order will be delivered by DHL tomorrow between 11:26 and 14:26. Track progress https://example.com/n.php?la4pmtf6u yewv
  • You have (1) Pending Package! Ref: DHL-6461W Last chance to PICK it up > https://www.example.com/t.php?kdnypf0ng0\


Example: An SMS that says your order will be delivered soon



Example: This SMS says it's your last chance to pick up a pending package.

 

Example: This SMS says that a parcel is coming today.

Example: SMS that claims you have 2 packages and it is your last chance to collect.

Example: This SMS asks you to click to track a package.

 

The voicemail and missed call messages look like this:

The text message often begins with 5-6 random lowercase letters or numbers, then says there is a missed call or voicemail message.

The text message may also have several misspellings. Here are some examples.

  • ab12c3 Nfw voice yessage received
  • gh6tr7 Voicemail message receiied
  • x78y9z New oozce-message received

After mentioning a missed call, voicemail or message, the messages include a link. The message may also say the voicemail message will be automatically deleted if not accessed.

 

Example: Android's spam/blocked folder with several scam messages

 

Example: A scam message saying that a voicemail message was received

 

 

Example: A fake voice message notification on an iPhone

 

Example: A text message saying that the recipient missed a call

 

Example: An iPhone notification showing a scam message about a missed call

What happens if I click or tap the link?

Clicking/tapping the link could lead to downloading malware (malicious software) to the phone.

For delivery SMS
You will see a screen with:

  • stolen DHL / courier branding
  • a button or link asking you to download an app to track your delivery's progress

The page sometimes says your phone may flag the app as suspicious and that you should ignore this warning.

For voicemail and missed call SMS

You’ll see a screen that typically includes:

  • your phone number
  • a note saying how long the fake message is (such as 2 minutes and 34 seconds)
  • a link to ‘Download voicemail app’ and instructions to enable the download of the application if this was blocked initially by the phone

How I tell if my phone is infected?

If the device is infected with Flubot, you will not know that your personal data is being accessed, and you will not be able to see your handset sending SMSs to infect others, although it will appear in your use history. Here are the warning signs that a device is infected:

  • There’s a new app that you don’t recognise or remember installing
  • You may receive text messages or telephone calls from people complaining about messages you sent them ,but you did not send the messages.

What if I have downloaded the Flubot?

Act immediately. If you have already clicked the link to download the application, passwords and online accounts are now at risk from hackers. You should not enter any passwords or log into any accounts on the infected device until you have followed the below steps.

Clean the device

Cleaning the device using the steps below will remove the malicious software from your device.

To clean your device,

  • contact an IT professional
  • download official Android anti-virus software through the Google Play Store
  • perform a factory reset of the device

Note - performing a factory reset of the device will delete all data including photos, messages, and authentication applications. If you want to restore a backup, make sure it’s a backup from before the infection. 

Change passwords and secure information

  • If you have logged into any accounts or apps using a password since downloading the Voicemail Flubot app, you must change the passwords.
  • If you have used the same passwords for any other accounts, you also need to change those passwords.
  • Contact your bank and ensure your accounts are secure.

How you can protect yourself

  • Do not click on links in text messages saying they have a voicemail or missed call.
  • Do not call back the individual who sent the text. It’s unlikely that they are a scammer or criminal. Scammers can disguise their caller ID as legitimate numbers to carry out these scams. This is also known as spoofing.
  • Delete the message immediately.
  • Learn more about FluBot scams and other relevant phone scams at www.scamwatch.gov.au and at the ID Care website.

What if I have been scammed?

  • Make a report to ReportCyber if you have been a victim of this cybercrime.
  • Report scams to the ACCC via the report a scam page. This helps to warn people about current scams, monitor trends and disrupt scams where possible. Include details of the scam contact received, for example by including the email or screenshot.
  • If you have lost personal information to a scammer and are concerned, contact IDCARE.
  • Spread the word to your friends and family to protect them.