In a blog post, ESET researcher Tony Anscombe said the malware was installed via a SMS message that impersonated a well-known delivery brand like FedEx, DHL or Correos, the last-named being in Spain.
Once the malware gained access to a device, it was able to steal credit card numbers and access credentials to online banking services.
It also neutered the protections built into the Android system and stopped many third-party anti-malware packages from being installed.
The malware disabled Google Play Protect to avoid being detected, and since it required extensive permissions to be installed, it was able to block other software from being installed.
ESET released a short video showing how Flubot could be removed. The company said another malware app, TeaBot, also used similar tactics to Flubot.
Said Anscombe: "If you receive an unknown or unexpected SMS message with a clickable link, refrain from clicking the link and instead remove the message.
"In the unfortunate scenario that the malware was installed on a device and banking or other activity has taken place since the installation took place, then contact the organisations concerned immediately to block access and where necessary change passwords, remembering to make them unique and strong.
"Whether this malware makes it to North America in any significant number or not, the functionality and the devastation already caused in Europe should heighten the call to action for all Android users to watch out for suspicious messages and to install security software in order to prevent such extremely malicious apps from ever getting on their devices."