Cybercrime: Aggressive malware, which targeted Android phones, successfully eliminated thanks to international cooperation involving the Swiss law enforcement authorities and other partners

 

At the end of May, a large-scale operation led by Europol and the Dutch police and involving other law enforcement authorities succeeded in stopping the rapid spread of a type of malware known as «FluBot». The malware, which infects mobile phones with the Android operating system via text messages, such as those sent by SMS, has also caused considerable damage in Switzerland. fedpol and the Office of the Attorney General of Switzerland were directly involved in the effort as operational and strategic partners.

Office of the Attorney General of Switzerland (OAG)

In response to a series of smishing cases (phishing via SMS) using the FluBot malware originally committed between April and July 2021, the Office of the Attorney General of Switzerland (OAG) opened criminal proceedings in April 2022 against unidentified perpetrators on suspicion of unauthorised data procurement (Art. 143 Swiss Criminal Code (SCC)), unauthorised access to data processing systems (Art. 143bis SCC), damage to data (Art. 144bis SCC) and computer fraud (Art. 147 SCC). As well as seeking to identify the perpetrators, investigators also aimed to determine how the malware worked, identify cases and victims in Switzerland and support ongoing investigations abroad. Thanks to the intensive joint preliminary investigations carried out by fedpol and the OAG, Switzerland has been able to make a substantial contribution to eliminating this malware as part of this joint operation, thereby winning an important battle in the war on cybercrime.

Malware deactivated on the «day of action» – further investigations ongoing
In the course of an international operation coordinated by Europol, termed a «day of action», in which eleven countries participated, the FluBot malware was successfully stopped. The Dutch police were able to destroy the infrastructure and deactivate the malware strain. However, investigations aimed at identifying the suspected perpetrators are still ongoing. Ahead of the day of action, fedpol conducted preliminary investigations in Switzerland under the leadership of the Office of the Attorney General of Switzerland. In close cooperation with the cantonal police forces, the National Cybersecurity Centre (NCSC), telecommunications providers and the digitalisation service provider Switch, information on how the malware works and on cases and victims of FluBot were collected and evaluated. fedpol coordinated the international exchange of information, in particular with Europol.

A single malware SMS can trigger an avalanche of destruction
The attacks via SMS, which have affected several million mobile phone users around the globe, including many in Switzerland, involved the following process for users of mobile devices based on the Android operating system: the perpetrators infected mobile phones with a malware that was spread through SMS text messages. The SMS contained a link that was supposed to lead the victims to a postal package tracking page. Clicking on the link however caused the malware to be installed, allowing perpetrators to gain direct access to data such passwords, e-banking information, SMS texts and data on online accounts. The hackers then exploited this access in order to steal log-in data for banking applications or account data for crypto-currencies and to deactivate integrated security mechanisms. The malware strain was able to spread like wildfire, as it could access the contacts on an infected smartphone. It then sent messages to these contact numbers that also contained links to the FluBot malware, which caused the malware to spread even further. Thanks to the coordinated operation conducted by Europol, law enforcement authorities have now successfully taken control of the relevant infrastructure and stopped this destructive spiral.

Valuable cooperation between countries, authorities and businesses
In view of the international dimension of cybercrime, close cooperation between all the countries involved is required to deal with these cases and to identify the perpetrators. In this case, the numerous investigative measures carried out by the Swiss law enforcement authorities in cooperation with the National Cybersecurity Centre NCSC and partners from the private sector, in particular the telecommunications providers concerned and Switch, led to a successful outcome, preventing the malware from spreading any further.

The more serious instances of cybercrime that are reported, the better can the law enforcement authorities combat this phenomenon, as they can gather more evidence and put it to good use. It is in the interests of ordinary members of the public and of organisations that fall prey to cyber-attacks to report such cases to the authorities, ideally by making a criminal complaint directly to the public prosecutor’s office or the police.

The Swiss criminal proceedings are continuing. The main objective is now to identify the perpetrators with the aid of evidence that can be used in court. As criminal proceedings are a dynamic process which is not influenced by the OAG alone, no prognosis can be made as to the timescale or outcome.

The presumption of innocence applies to all parties to the proceedings. The OAG is unable to provide any further information on the criminal proceedings and/or on any specific steps in the proceedings at present.

www.ba.admin.ch