Security researchers from proofpoint company Cloudmark have discovered a new piece of mobile malware distributed via SMS that cybercriminals are using to target users in the US and Canada with Covid-19 lures.
The malware has been dubbed TangleBot because of its many levels of obfuscation and how it can control a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, camera, and microphone.
As with the FluBot malware that still poses a threat in Europe and the UK, TangleBot tries to trick mobile users into downloading malicious software by sending fake Covid-19 warning messages. While some of the text messages used in the campaign contain regulatory information, others provide details about booster vaccinations.
As is the case with many phishing campaigns, these posts create a sense of urgency as users may want to know how Covid regulations have changed in their region or may be interested in a Covid-19 vaccine booster shot to better protect themselves against new variants of the virus.
If a user clicks on the link in one of the campaign’s text messages, a website will appear indicating that Adobe Flash Player is out of date and needs to be updated. Clicking on the following dialog boxes will install TangleBot malware on their Android smartphone.
TangleBot is then given privileges to access and control numerous device functions as mentioned above. With this access, an attacker can now make and block phone calls, send, receive and process text messages, record with the device’s camera or microphone and record the screen, place overlay screens on the device to cover legitimate apps and other devices implement observation options according to a blog post from Cloudmark.
Just as the company’s researchers observed with FluBot, TangleBot can overlay banking or financial apps and steal a victim’s account information directly. However, an attacker could also use a victim’s device to message other mobile devices to further spread their malware. Even if a user discovers that TangleBot is installed on their device and removes it, an attacker may not use their stolen information for some time, leaving the victim unaware that their account information has been stolen.
To avoid falling victim to TangleBot and other mobile malware, Cloudmark advises users to be wary of suspicious text messages from unknown senders and to avoid clicking on links in those messages. Users should also avoid installing apps from sources other than the Google Play Store or other official app stores.