Security researchers from Proofpoint company Cloudmark have discovered a new piece of mobile malware strain spread via SMS that cybercriminals are using to target users across the US and Canada with Covid-19 lures.
The malware has been dubbed TangleBot because of its many levels of obfuscation and how it is able to control a multitude of entangled device functions including contacts, SMS and phone capabilities, call logs, internet access, camera and microphone.
Just like with the FluBot malware which continues to be a threat in Europe and the UK, TangleBot tries to trick mobile users into downloading malicious software by sending out fake Covid-19 warning notifications. While some of the text messages used in the campaign contain information about regulations, others provide details on vaccine booster shots.
As is the case with many phishing campaigns, these messages create a sense of urgency as users may want to know how Covid regulations have changed in their region or they may be interested in a Covid-19 vaccine booster shot to better protect themselves against new variants of the virus.
If a user does happen to click on the link contained in one of the campaign's text messages, a website appears notifying them that Adobe Flash Player is out of date and must be updated. Clicking on the subsequent dialog boxes then installs the TangleBot malware on their Android smartphone.
TangleBot is then granted privileges to access and control numerous devices functions as mentioned above. With this access, an attacker can now make and block phone calls, send, obtain and process text messages, record using the device's camera or microphone as well as record its screen, place overlay screens on the device to cover legitimate apps and implement other device observation capabilities according to a blog post from Cloudmark.
Just like the company's researchers observed with FluBot, TangleBot can overlay banking or financial apps and directly steal a victim's account credentials. However, an attacker can also use a victim's device to message other mobile devices to spread their malware even further. Even if a user discovers TangleBot is installed on their device and removes it, an attacker may not use their stolen information for some time which renders the victim oblivious to the fact that their account credentials have been stolen.
To avoid falling victim to TangleBot and other mobile malware, Cloudmark recommends that users be on the lookout for suspicious text messages from unknown senders and avoid clicking on any links these messages may contain. Also users should avoid installing apps from sources besides the Google Play Store or other official app stores.