In what is now becoming a recurring occurrence, new malware is out in the wild targeting Android users. Just a few weeks ago, we highlighted how the “Joker Virus” had already wreaked havoc on several apps in the Play Store, prompting Google to pull down the affected apps to prevent the virus from being installed unknowingly by more people.
The new virus named “TangleBot” uses people’s interest in Covid-19 to trick Android users into clicking a link that will infect their mobile handsets.
Cloudmark, a company that deals with mobile and email security, says that the malware sends Android users a text message claiming to have the latest Covid-19 guidance in their area or informs them that their Covid-19 vaccine appointment has been scheduled.
When you fall for this message and click on the link, you are prompted to update your phone’s Adobe Flash Player, which instead installs the virus on your Android phone.
“The malware has been given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, [GPS], and camera and microphone,” Cloudmark researchers.
The deep level of TangleBot access means that attackers can interfere with voice call functions to block calls and to also make calls silently in the background without users having any idea what is going on. In practice, this is an ideal set up for premium number fraud, where a user is charged a high rate for making a call to an attacker controlled toll number.
Ryan Kalember, executive vice president at Cloudmarks’s parent company Proofpoint also points out that the TangleBot malware has the capability to show hacked users an “overlay” screen that appears authentic but is instead a fake window being run by attackers to steal information.
“These overlays are being used to hack banking credentials because the users might believe they are logging into their mobile banking while typing in their information on a fake screen, which then relays the information to the hackers,” Kalember
“Harvesting of personal information and credentials in this manner is extremely troublesome for mobile users because there is a growing market on the Dark Web for detailed personal and account data,” according to Cloudmark. “Even if the user discovers the TangleBot malware installed on their device and is able to remove it, the attacker may not use the stolen information for some period of time, rendering the victim oblivious of the theft.”
Cloudmark notes that criminals are increasingly using mobile messaging as a method of attack, and asks users to avoid responding to unsolicited commercial messages.
Clicking links present in text messages is also very risky and should be avoided at all costs, especially ones with names that try to mimic well-known establishments.
Kalember concludes by pointing out that the discovery does not mean there is a security vulnerability in Android. This is because the criminals are tricking a user into installing the virus using information that the user is most likely interested in, in this case Covid-19, rather than using a vulnerability on Android OS to get access.
