A new Android malware variant has been discovered by researchers that is being used distributed via SMS messages and has been used in attacks in the United States and Canada. The new Android malware has been dubbed TangleBot by the Cloudmark researchers who discovered it due to the complex nature of the malware and the many different forms of obfuscation used.
The malware can be used to perform a range of malicious activities on compromised devices. It can identify and exfiltrate sensitive data, spy on users, control interactions with apps via overlap screens, and steal financial account information from financial activities that are initiated on the device.
The malware is being distributed via SMS messages that attempt to trick users into clicking a malicious link using COVID-19 themed lures such as information about booster vaccine shots. One SMS message template used is “New regulations about COVID-19 in your region. Read here,” and another had the text “You have received the appointment for the 3rd dose. For more information visit:”
If the user clicks on the link they are directed to a malicious website where they are advised Adobe Flash needs to be updated. If the prompts are accepted, TangleBot is downloaded and grants itself a wide range of privileges
While TangleBot malware has similarities with other forms of mobile malware such as FluBot, it has a much more extensive range of tools that provide access to a large number of mobile device functions. The malware can access and block SMS messages and phone calls, obtain call logs, spy n Internet access, exfiltrate GPS data, and gain control of the camera and microphone.
Those capabilities give attackers a wide range of options for conducting attacks. Those attacks could involve premium number fraud, as the malware is able to make calls silently in the background. Incoming calls can also be blocked without alerting users.
SMS messages can be blocked or intercepted, including SMS messages used for 2-factor authentication. The malware can also self-propagate and send copies of itself to the victim’s contacts via SMS messages.
TangleBot malware can be used as spyware, recording audio via the microphone or video by hijacking the camera. Feeds can be streamed directly to the attacker to provide real-time information about the user, and since GPS data can be obtained, the phone’s location can be constantly tracked. Personal information stored on the devices can also be exfiltrated.
Perhaps the most dangerous feature of TangleBot is the ability of the malware to interact with apps. The malware reports back on the apps that are installed on the device and can inject overlay screens for banking and other financial apps, giving the attackers the credentials they need to access and empty victims’ accounts.