New SMS malware targets Android users through fake COVID messages

Dubbed TangleBot, the malware can overlay financial apps with its own screens in an attempt to steal your account credentials, says Cloudmark.

mobile-malware.jpg

Image: iStock/CarmenMurillo

More about cybersecurity

A new and devious SMS malware campaign is trying to infect people via their mobile devices by promising details about COVID-19. Aimed at Android users in the U.S. and Canada, the malware known as TangleBot can make and block phone calls, send text messages, and overlay malicious screens on a compromised device, said a new report from security firm Cloudmark.

SEE: Top Android security tips (free PDF) (TechRepublic)

As cybercriminals continue to exploit the coronavirus pandemic, TangleBot attempts to trick Android users into downloading malicious software through phony messages about COVID-19. One message discovered by Cloudmark says: “New regulations about COVID-19 in your region. Read here.”

sms-malware-phony-covid-message1-cloudmark.jpgsms-malware-phony-covid-message1-cloudmark.jpg

Image: Cloudmark

Another message says: “You have received the appointment for the 3rd dose. For more information, visit…”

sms-malware-phony-covid-message2-cloudmark.jpgsms-malware-phony-covid-message2-cloudmark.jpg

Image: Cloudmark

“Social engineering that uses the pandemic as a lure continues to be a major issue globally,” said Hank Schless, senior manager for Security Solutions at security firm Lookout. “It’s advantageous for attackers to leverage socially uncertain situations in order to make their phishing campaigns more effective. People are more likely to let their guard down and interact with something online that promises information they need.”

Clicking on the link in either message tells you that the Adobe Flash Player on your device is out of date and must be updated. If you take the bait and click on any of the follow-up dialog boxes, the TangleBot malware is installed on your Android device.

Once installed, TangleBot is granted permission to access and control a variety of features and content on your phone or tablet, including contacts, SMS and phone capabilities, call logs, internet access, camera and microphone access, and GPS. The malware was named TangleBot specifically because it can control so many different functions and do so with several levels of obfuscation, according to Cloudmark.

With the necessary access, the criminals behind the attack can perform any of the following tasks:

  • Make and block phone calls.
  • Send, obtain and process text messages.
  • Record the camera, screen or microphone audio or stream them directly.
  • Place overlay screens on the device covering legitimate apps.
  • Set up other methods to observe activity on the device.

The ability to overlay screens that cover legitimate apps is particularly troublesome. TangleBot can overlay banking or financial apps with its own screens as a way to steal your financial account credentials. Accessing the camera and microphone is also worrying as it gives the attacker the means to spy on you. Further, the malware can use your device to message other devices as a way to spread.

Any personal information stolen by the attacker typically wends its way to the Dark Web where buyers are eager to scoop up such sensitive data. Even if a victim is able to remove the TangleBot malware, criminals may not use the stolen information for some time, so you may remain at risk.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

“Mobile devices offer countless channels for attackers to deliver socially engineered phishing campaigns with the goal of swiping corporate login credentials or installing advanced malware that can exfiltrate sensitive data from the device,” Schless said. “For organizations that allow employees to use personal devices for work in a BYOD model, the risk is even higher considering the number of personal apps people use. Attackers can deliver campaigns through SMS, social media, third-party messaging apps, gaming and even dating apps.” 

To help mobile users protect themselves from SMS malware, Cloudmark offers several tips.

  • Look out for suspicious text messages. Attackers increasingly are using mobile messaging and SMS phishing to carry out attacks.
  • Guard your mobile number. Consider the potential consequences before you provide your mobile phone number to an enterprise or other commercial entity.
  • Access any linked website directly. If you get a text from any enterprise, especially one with a warning or delivery notification that has a webpage link, don’t click on that link. Instead, open your browser to access the company’s website directly. Similarly, take any offer codes you receive in a message and enter them directly in the company’s website to see if they’re legitimate.
  • Report SMS phishing and spam messages. If you get a spam message, use the spam reporting feature in your messaging app if it has one. Alternatively, forward spam text messages to 7726, which spells “SPAM” on your phone’s keypad.
  • Be cautious when installing apps to your device. When downloading and installing new programs to your mobile device, read any installation prompts first and carefully review any requests for permission to access certain types of content.
  • Avoid responding to unsolicited texts. Don’t respond to unsolicited enterprise or commercial messages from a vendor or company you don’t recognize. Doing so often simply confirms that you’re a “real person.”
  • Install apps only from legitimate app stores. Don’t install software on your mobile device outside of a certified app store from the vendor or your mobile operator.

Schless also has some tips of his own.

“To keep ahead of attackers who want to leverage this attack chain, organizations everywhere should implement security across mobile devices with mobile threat defense (MTD), protect cloud services with cloud access security broker (CASB) and implement modern security policies on their on-prem or private apps with Zero Trust Network Access (ZTNA),” Schless said.

“A security platform that can combine MTD, CASB and ZTNA in one endpoint-to-cloud solution that also respects end-user privacy regardless of the type of device they’re on is a key part of implementing zero trust across the infrastructure and keeping ahead of the latest cybersecurity threats.”

Also see