We’re aware of a new and sophisticated text scam making the rounds in New Zealand. The content of the scam message is changing all the time, but ultimately the scam seeks to install malware on your handset in order to steal personal information.
Spark Flubot text messages
We've sent a text message to our mobile customers to warn about this scam. This message is just for your information and does not have any links to click on. The message is sent from short code, 9802.We’re also notifying customers that we believe have downloaded the malware. The message will have been sent from short code, 9802.
Read on to find out what to do if you’ve received one of these texts or you think you might have downloaded the malware.
Remember: If you receive a suspicious looking text message, do not click on any links, download any apps or install any updates.
Flubot is a malware disguised as an application or update. If downloaded it can gain access to certain functions on your handset.
The malware is mainly being spread by scam text messages, the content of which is evolving quickly – see our Frequently asked questions for examples of the content we've seen.
The message tries to target Android users and advises you to click on a link. It then takes you to a webpage where it asks you to download an app or update of some kind.
This is not a genuine text message and downloading any applications will install the Flubot malware on your handset.
Learn about malware on the NZ Govt CERT website
Flubot can't be downloaded on an iPhone.If you’re an iPhone user, you can still receive the scam text. However, we understand that if you click the link, it will take you to a webpage that asks you for personal information rather than to download an app or update.
Frequently asked questions
How do I identify the Flubot scam text?
- The text message will look like it's come from a normal New Zealand or Australian mobile number. The domain name in the link will likely be unfamiliar and unusual. There are different versions of the text message and they will continue to evolve to try and trick you into clicking a link and downloading the malware.
Here are some examples of the scam texts we're seeing:
- This message may advise that you have a package delivery that has been shipped or failed to be delivered, and includes a link to get more details.
Your photos have been accessed
- This message may also advise that your photos have been accessed and uploaded online. It includes a link to get more details.
Voice messenger app
- This message may advise that you have a voicemail and ask you to try a voicemail app. The message includes a link.
Thank you message
- This message may suggest you have a thank you gift from someone and includes a link.
What should I do if I receive the scam text?
- Do not click on the link, or text or call the number back.
- Do not download any apps if they aren't directly from the Apple or Google app stores.
- Please report the scam by forwarding the text message directly to the DIA on 7726. After that, delete the text message.
I think I clicked on the link in the scam text, what should I do?
- As long as you didn’t download the app or enter any personal information, you should be fine.
- Be sure to report the scam text to the DIA on 7726 then delete the text message.
I’m an Android user and think I downloaded the malware, what should I do?
- If you have any of these icons on your home screen, the malware has infected your device. Please note, this scam is evolving and there may be other app icons we aren’t aware of:
- You can also check to see if the malware has infected your handset by:
- Running Google Play Protect
- Open the Google Play store app
- At the top right, tap the profile icon
- Tap Play Protect and then Scan
- Installing Android anti-malware apps, by searching for ‘anti malware’ in the Play Store. Please note, these may not detect newer variants of the app.
- If you do have the malware, the safest way to remove it is to perform a factory reset on your handset (this will delete all data on your phone including photos). You should also change the passwords for any applications or accounts you have used while the app has been installed. If you have used these same passwords for any other accounts, then these also need to be changed.
- If you restore from a backup, please ensure the backup was taken prior to installing the app or the app might be reinstalled.
- Remember: You should never download any apps that don’t come directly from the Apple or Google App store.
You've notified me that the Department of Internal Affairs has told you I may have downloaded the malware, how do you know?
- Once the malware is downloaded on someone’s device, they become an ‘infector’, meaning scam texts are now being sent from their number without their knowledge. This is because when Flubot is downloaded, the malware allows scammers to gain access to various functions on someone’s device, including sending text messages from your device.
- The Department of Internal Affairs (DIA) is asking all receivers of the scam SMS to report the message to them by forwarding it to 7726. When they receive a report, they reply asking for the number sending the SMS. Where they receive multiple reports where a scam text has come from the same number, this is a good indication that the handset using the number is infected with Flubot. They then provide each Telco provider with a list of their respective infected mobile numbers.
I’m an iPhone user and think I have clicked on the link and entered personal information, what should I do?
- The Flubot malware can only infect Android users, however iPhone users can still receive the scam text. If you click the link, it will detect you’re using an iPhone and take you to a page where it asks you for personal information.
- If you've entered any personal information, be sure to change your passwords.
- If you've entered any credit card details, you should contact your bank immediately.
How does the Flubot spread itself?
- When Flubot is downloaded, the malware allows scammers to gain access to various functions on your handset, including reading your contact list. This enables it to harvest active contacts and spread the message wider.
More information for Android users can be found on the NZ Govt CERT website. View CERT advice about this scam