Android Malware

An "insidious" new SMS smishing malware has been found targeting Android mobile users in the U.S. and Canada as part of an ongoing campaign that uses SMS text message lures related to COVID-19 regulations and vaccine information in an attempt to steal personal and financial data.

Proofpoint's messaging security subsidiary Cloudmark coined the emerging malware "TangleBot."

Cybersecurity

"The malware has been given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone," the researchers said.

Besides capabilities to obtain sensitive information, the malware is engineered to control device interaction with banking or financial apps using overlay screens and plunder account credentials from financial activities initiated on the phones.

Android Malware

The attacks themselves originate from SMS messages that claim to be "new regulations about COVID-19" or confirmation for an "appointment for the 3rd [vaccine] dose," urging users to click on an accompanying link that, when visited, notifies the victim that their Adobe Flash player is out-of-date and must be updated. Opting to update the software results in the installation of the TangleBot malware on the Android device.

Cybersecurity

In the next phase, TangleBot is granted wide-ranging permissions to access contacts, SMS, call logs, internet, camera and microphone, and GPS, thus enabling the operators to intercept phone calls, send and receive text messages, record the camera, screen, or microphone audio or stream them directly to the attacker, turning it into full-fledged spyware.

Android Malware

"Harvesting of personal information and credentials in this manner is extremely troublesome for mobile users because there is a growing market on the dark web for detailed personal and account data," the researchers said. "Even if the user discovers the TangleBot malware and it is able to remove it, the attacker may not use the stolen information for some period of time, rendering the victim oblivious of the theft."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.