Flubot: the evolution of a notorious Android Banking Malware

This report analyzes Flubot, a widespread Android banking malware that used smishing and infected devices as a distribution botnet to steal credentials and session cookies via accessibility abuse, web injections, and WebView cookie capture; it documents version-by-version technical changes (DGA seeds, DoH, RC4, DNS TXT tunneling), operational campaigns across many countries, sample hashes, and the eventual Europol-enabled disruption of its C2 infrastructure while noting the potential for reconstitution.