Cell phone users in Canada and the United States are being targeted by a new and advanced form of SMS malware that lures victims with COVID-19-related content.
Threat analysts at Cloudmark discovered the new low-volume campaign attacking Android mobile device users and named it TangleBot. This complex malware can directly obtain personal information, control device interaction with apps and overlay screens, and steal account information from financial activities initiated on the device.
TangleBot sends SMS text messages themed around coronavirus regulations and third doses of COVID vaccines known as booster shots to entice users into downloading malware. Victims who take the lure unwittingly download malware that compromises the security of their device and configures the system so that confidential information can be exfiltrated to systems controlled by the attacker(s).
The malware allows the threat actor(s) to control everything from call logs and contacts to the phone camera and GPS on an infected device and employs multiple levels of obfuscation to keep its presence hidden from the device’s user.
“The malware has been given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone,” wrote the analysts.
The messages sent as part of the malware campaign appear to be warnings or appointment notifications. One such SMS contained the text “New regulations about COVID-19 in your region. Read here:” followed by a malicious link.
Another preceded a malicious link with the statement: “You have received the appointment for the 3rd dose. For more information visit:”
Users who click on the link are taken to a website where they are notified that the Adobe Flash Player software on their device is out of date and must be updated for them to proceed. If the user clicks on the subsequent dialog boxes, TangleBot malware is installed on the Android device.
“As we have seen with FluBot, TangleBot can overlay banking or financial apps and directly steal the victim’s account credentials,” noted the analysts.
“Also, TangleBot can use the victim’s device to message other mobile devices, spreading throughout the mobile network.”