TangleBot Malware Reaches into Android Device Functions!

TangleBot Malware Reaches into Android Device Functions!

An Android malware called TangleBot has moved onto the cyber-scene: One that researchers stated can perform a range of malicious actions, including stealing personal info & controlling apps & device functions.

This mobile malware grants itself access to almost everything, enabling spying, data-harvesting, stalking & fraud attacks, among others.

SMS Messaging

States Cloudmark researchers, the newly discovered mobile malware is spreading via SMS messaging in the US & Canada, using lures about COVID-19 boosters & regulations. The goal is to social-engineer targets into clicking on an embedded link, which takes them to a website. The site tells users they need an “Adobe Flash update.” If they click on the subsequent dialog boxes, TangleBot malware installs.

In propagation method & theme, TangleBot resembles other mobile malware, such as the FluBot SMS malware that targets the UK & Europe or the CovidLock Android ransomware, which is an Android app that pretends to give users a way to find nearby COVID-19 patients. Its wide-ranging access to mobile device functions is what sets it apart, Cloudmark researchers observed.

Launch Attacks

“The malware has been given the moniker TangleBot because of its many levels of obfuscation & control over a myriad of entangled device functions, including contacts, SMS & phone capabilities, call logs, internet access, GPS, & camera & microphone,” they noted in a Thurs. writeup.

To reach so far into Android’s internal business, TangleBot grants itself privileges to access & control all of the above, researchers commented, meaning that the cyber-attackers would now have a free hand to launch attacks with a large array of goals.

Voice Call Function

Attackers can manipulate the incoming voice call function to block calls & can also silently make calls in the background, with users no wiser. That’s a perfect setup for premium number fraud, where the user is charged a high rate for making a call to an attacker-controlled toll number.

TangleBot can also send, obtain & process text messages for SMS fraud, 2-factor authentication interception, self-propagation to contacts & more.

It also has deep spyware capabilities, with the ability to record or directly stream camera, screen or microphone audio directly to the attacker, along with “other device observation capabilities,” according to Cloudmark. Gaining access to the GPS functionality, for example, creates the potential for location-tracking.

Installed Applications

Also, the firm noted that the malware can take stock of installed applications & interact with them, as well as place overlay screens on top of these to, say, harvest credentials in the style of a banking trojan.

“The ability to detect installed apps, app interactions & inject overlay screens is extremely problematic,” researchers noted. “As we have seen with FluBot, TangleBot can overlay banking or financial apps & directly steal the victim’s account credentials….The capabilities also enable the theft of considerable personal information directly from the device.”

That can be problematic for businesses, too, given that employees increasingly use personal devices for work.

Safe Messaging

To avoid threats like TangleBot, mobile users should practice safe messaging practices & avoid clicking on any links in texts, even if they appear to come from a legitimate contact, researchers noted.

They should also be careful when downloading apps & should read install prompts closely, looking out for information regarding rights & privileges that the app may request. Finally, they should be wary of procuring any software from outside a certified app store.


“Harvesting of personal information & credentials in this manner is extremely troublesome for mobile users because there is a growing market on the Dark Web for detailed personal & account data,” according to Cloudmark.

“Even if the user discovers the TangleBot malware installed on their device & is able to remove it, the attacker may not use the stolen information for some period of time, rendering the victim oblivious of the theft.”

Virtual Conference October 2021