Tanglebot is using coronavirus lures to target victims

A new smishing malware, named TangleBot, has been discovered stealing financial and personal information from victims. It targets Android mobile users based in the U.S. and Canada with SMS text message lures with COVID-19 regulations and vaccine details.

According to Cloudmark, the malware is named TangleBot as it comes with multiple levels of obfuscation and controls numerous entangled device functions, such as contacts, SMS/phone capabilities, internet access, call logs, microphones, and cameras.

Attackers send an SMS message enclosing links to new regulations related to Coronavirus or confirmation for an appointment of a third vaccine dose.

Malicious links, if clicked, notify users that their Flash player has become obsolete and must be updated. Doing so will lead to the installation of the TangleBot malware onto the Android phone.

Afterwards Attackers can take control of communication between an infected device and banking or other financial apps. They use overlay screens to steal account credentials from financial actions started on the devices.

In the next stage, TangleBot is granted various permissions to access SMS, call logs, internet, camera, microphone, GPS, and contacts that allow its operators to monitor phone calls and other things.

These other things include sending/receiving text messages, recording the camera, screen, microphone audio, and streaming them directly to the attacker. These enable the operators to turn the malware into complete spyware.

Moreover, TangleBot can make use of the infected Android device to message other mobile devices for more victims.

Takeaway TangleBot is an active malware that has already been used to target victims in North America and other regions. It steals banking information, which is a hot commodity in underground markets. Users need to be wary of suspicious SMS and avoid clicking on any links from unknown sources without adequate security in place.

Stay safe out there -Attila