Malware 'Flubot' text and picture (MMS) message fraud

What’s happened?

Many people in the UK have been targeted with a text or picture (MMS) message that looks like it’s from a delivery service, or it may say that you’ve received a voicemail. The message appears in your phone’s built-in messaging app (not third-party apps such as whatsapp, signal etc) and asks you to download an app so that you can track a parcel or listen to the voicemail. Some messages claim to be from DHL, like our example below. But the scam has also used other company brands like Amazon, Asda, and Argos. They can also just generically reference ‘your parcel’ without mentioning a brand name.

If you click and download the app on an Android phone, it’ll try to install the app. If the app is installed, the malware contained in the app could intercept text messages or capture online banking details.

This fraud attack has affected all network operators and, although we believe we have blocked the majority of messages thanks to our enhanced protections, a small number of our customers may have received them. We’re advising customers to be alert and careful about clicking on any links received via text or picture (MMS) message.


Our advice to customers

If you’ve received the text or picture (MMS) message but have not clicked on the link:

You can delete it. You can also report it for free by forwarding the message to 7726. Where you forward a fraudulent message to 7726 and do not receive a reply, then this may be because you forwarded an MMS (picture) message, which 7726 does not currently support. In such cases, please text the word FRAUD to 7726, followed by the sender’s number/ID when prompted.

If you’ve received the text or picture (MMS) message and have clicked the link but not downloaded the app:

Your phone won’t be infected with malware and you can delete the message. To report the message, forward it free of charge to 7726. Where you forward a fraudulent message to 7726 and do not receive a reply, then this may be because you forwarded an MMS (picture) message, which 7726 does not currently support. In such cases, please text the word FRAUD to 7726, followed by the sender’s number/ID when prompted.

If you’ve received the text or picture (MMS) message, clicked on the link, and downloaded the app on an Android device:

Please be aware that your contacts, text messages, and online banking details may have been accessed by fraudsters.

If this has happened, you’re advised to follow the steps below immediately.

What to do if you’ve downloaded the app on an Android device

  1. Activate Google Play Protect (GPP) within the Google Play Store app – you can find info on how to do that here. This might allow you identify and uninstall the malware app. If you’ve been successful, in most cases, you’ll get a notification saying the app was successfully removed.

    A number of Huawei devices may not have access to Google Play Protect. If you have one of these devices, you can use Huawei’s own anti-virus tool.

  2. If the suspected malware app you downloaded remains on your phone, you can activate Android’s Safe Mode. Safe Mode temporarily blocks third-party apps from running and will let you uninstall the malware apps. You will need to follow the device manufacturer guidelines to activate Safe Mode.
  3. If the 2 steps above are unsuccessful, we strongly advise you to do a factory reset. If you don’t, then you could be at risk of having your personal data viewed by a fraudster. When you set up the phone after the factory reset, you may be asked if you want to restore from a backup. Please avoid restoring from any backups created after you download the malware app, as these will also be infected. If you don’t have backups enabled, then you’ll lose data like photos, downloads or contacts.

If you need help with any of the steps above, please contact us on 333.

For further protection:

  • If you use an online banking app, you need to contact your bank urgently. Tell them what’s happened and ask for further guidance.
  • Make sure you change any passwords stored on your device, in text messages, notes, or contacts.
  • Change any other app or online services passwords that you may have entered while the fraud app was installed.

If your device has been infected with the Flubot malware, you may have been charged for text messages over your plan. If so, we’ll arrange a refund for you as soon as possible.

What to do if I’ve received the text or picture (MMS) message, clicked on the link and downloaded the app on a non-Android device?

Your device won’t have been affected and you can delete the message. If you’d like to report this, then forward it for free to 7726. Where you forward a fraudulent message to 7726 and do not receive a reply, then this may be because you forwarded an MMS (picture) message, which 7726 does not currently support. In such cases, please text the word FRAUD to 7726, followed by the sender’s number/ID when prompted.

To protect yourself from future scams like this, you should:

  1. Enable built-in or third-party antivirus tools
  2. Enable back-ups on your device so you don’t lose important information
  3. Avoid opening suspicious web links in messages
  4. Only install apps from the app store that your manufacturer recommends
  5. Avoid giving apps unnecessary permissions
""

Did you find this page useful?

Any feedback you have helps us make your experience better.