The Department of Internal Affairs (DIA) confirms there are versions of the Flubot text-messaging scam, which has morphed from a parcel delivery message to one claiming your photos have been uploaded to an online album.
"'Someone uploaded your pictures," it says.
The text message provides a link, which it says is to that album.
If clicked, users will be directed to a fake security alert webpage that says your phone is infected with Flubot malware - and that you should install a security update to fix it.
But the alleged fix for Flubot is in fact the malware itself, which attempts to steal information such as credit card details and bank logins from your phone, and copies its address book then messages your contacts with the same scam.
Flubot can only infect Android phones, such as those made by Samsung, not iPhones (Apple's devices can receive the texts, but Flubot can't be downloaded to an iPhone).
If you receive a text from an unknown sender or a text with a suspicious hyperlink, do not click any links included in the message. Simply report the text spam for free on your phone by forwarding the spam text message to 7726 - which will not incur any fee.
"In the past 48 hours we have received over 58,000 reports of the scam" said Joe Teo, manager of the Digital Messaging and Systems Team.
The Herald started to get messages from readers reporting the new photo variant earlier today, then approached the DIA to confirm it was a variant on the same Flubot malware.
The Government's Computer Emergency Response Team (CERT NZ) is working with the DIA to block links associated with Flubot - but the messages continue to proliferate three days into the Flubot assault.
The DIA says if you have already downloaded the Flubot app, do not log into any accounts until you have taken the following steps:
- Perform a factory reset on your device as soon as possible. When you start up your device after the reset, it may ask you if you want to restore from a backup. Do not restore from any backups created after you downloaded the app, as they will also be infected.
- Change your passwords to any accounts or apps that you logged into after downloading the app.
Security company NortonLifeLock recommends the following precautionary steps for Android phone owners (again, iPhones are not affected):
- Disable "Install Unknown Apps". A lot of malicious apps find their way on your phone outside of the official Google Play store, but from unknown sources.
- While it might be tempting to install the occasional app that you can't find in the official app store, if you're willing to take the risk and trust the source, make sure to disable the feature again afterwards, to reduce any ongoing security risk.
- Never open links that seem suspicious. Check to make sure that the mail is really from the sender it claims to be. If it promises things that seem to be too good to be true, they probably are.
- Don't grant apps broad permissions, only let them access what they need to function. Avoid any apps that ask for more data than necessary. As can be seen in the FluBot case, broad permissions can lead to the malware being able to perform their unwanted tasks and spread themselves further.
- Get security software for your mobile device.
If any of your devices do get infected, or any of your data is stolen, report it to Crown agency Cert NZ.
It will help prevent further attacks, and Cert can guide you to the right tech support and law-enforcement help.
Flubot is more grist for the mill for Apple, which has recently been arguing with law-makers who want to liberalise rules around its App Store. Some regulators say rules around where iPhone (and Android) apps can be downloaded, and paid for, are needed for market competition. Apple argues it can only police privacy rules and maintain security through its own App Store.