The spread of mobile malware has become rampant in the cyberthreat landscape. More threat actor groups are leveraging mobile malware to infect handsets and to compromise personal data. Security researchers from Proofpoint recently uncovered a new mobile malware, distributed via SMS, targeting Android users in the U.S. and Canada. Tracked as TangleBot, the malware is designed to infect Android devices and steal sensitive information stored on them. The researchers stated the TangleBot campaign leveraged COVID-19-themed phishing lures to trick users into installing malware on their devices.
TangleBot via Phishing SMS
Threat actors distributed TangleBot malware via multiple phishing SMS related to COVID-19 vaccine updates or a potential power outage. Attackers placed malicious URLs within the text messages, which, when clicked, redirect the victims to hacker-operated sources to install malware.
The phishing messages read:
New regulations about COVID-19 in your region. Read here: https//covid19*****
A power outage will occur in your area. More info here: https://hydro-ca.link**
“Unsuspecting users have presented a series of dialogue boxes requesting acceptance of the permissions and installation from unknown sources. Proofpoint analysts counted no less than nine dialogue boxes that users must click prior to the full installation of the malware. While this may seem like a lot, the lesson learned from the FluBot outbreak over the summer is that users tend to disregard the multiple warnings and permissions and still download and install software from unknown sources,” Proofpoint said.
After infecting the victims’ devices with TangleBot, attackers can
- Make and block phone calls
- Send, obtain, and process text messages
- Record the camera, screen, or microphone audio or stream them directly to the attacker
- Place overlay screens on the device covering legitimate apps and screens
- Implement other device observation capabilities
In addition to compromising users’ personal and banking details, TangleBot also leverages the text messaging service on the victim’s device to spread the malware throughout the mobile network. TangleBot can also steal private data using the camera and microphone app on the targeted device to spy on the victim.
Security experts from Proofpoint recommended mobile users to be vigilant while attending SMS warning messages and follow certain security practices, including:
- Be on the lookout for suspicious text messages. Criminals are increasingly using mobile messaging and SMS phishing as an attack vector.
- Carefully consider before providing your mobile phone number to an enterprise or other commercial entity.
- If you receive a message from any enterprise, including some sort of warning or package delivery notification that contains a web link, use your device’s browser to access the enterprise’s or service’s website directly.
- Do not use the web link provided in the text message. Do this as well for any offer codes you receive by entering them directly into the enterprise’s or service’s website from your browser.
- Don’t respond to any unsolicited enterprise or commercial messages from a vendor or enterprise you don’t recognize. Doing so will often confirm that you’re a “real person.”
- Don’t install software on your mobile device outside a certified app store from the vendor or Mobile Network Operator.
- Be careful when downloading and installing new software to your mobile device and read install prompts closely, looking for information regarding rights and privileges that the app may request.
“Harvesting personal information and credentials in this manner is extremely troublesome for mobile users because there is a growing market on the dark web for detailed personal and account data. Even if the user discovers the TangleBot malware installed on their device and can remove it, the attacker may not use the stolen information for some period, rendering the victim oblivious of the theft,” Proofpoint added.