A new Android threat that tries to trick mobile users into downloading malware by sending COVID-19 warning notifications could have a big impact on businesses that don’t take the threat seriously, a new post from Proofpoint warns.
The malware, dubbed TangleBot, can directly obtain personal information, control device interaction with apps and overlay screens, and steal account information from financial activities initiated on the device, the company said in a statement.
TangleBot is a particularly vicious piece of malware, said Jacinta Tobin, vice president of Cloudmark operations for Proofpoint. The malware wages an attack via a text or mobile message to users, the vast majority of whom tend to read all text messages they receive. TangleBot lures them by using COVID-19 warnings and seem legitimate, but once victims follow the prompts and install TangleBot, the malware can pre-empt normal app functionality. That means it can potentially steal credentials for any number of accounts that the user has apps for installed on the device, she added.
In contrast, typical malware like the Facebook malware FlyTrap steals log-in information for one account (Facebook). In that case, users are tricked via social media to download an application outside the app store. Once downloaded, the malware can steal Facebook credentials, but most users are leery of downloading software in this manner. The TangleBot malware uses the lure and then a software upgrade notification (Flash Player) as a well-crafted scam to trick the user, Tobin explained.
TangleBot also can overlay banking or financial apps and directly steal the victim’s account credentials. In addition, the malware can use the victim’s device to message other mobile devices throughout the mobile network. The capabilities also enable the theft of considerable personal information directly from the device and through the camera and microphone, spying on the victim, Tobin said.
TangleBot an Android Threat to Businesses Too
In addition to directly affecting Android users, TangleBot can have a disastrous effect on businesses, because it can steal log-in information. This can lead to potentially invalid and fake transactions not authorized by the company’s customers.
And since TangleBot can manipulate messaging and spy on the user, it could be used to build a detailed profile about the device’s owner, employer, and the contacts stored on the phone. This information is fed to the command and control of the malware and could be used to wage an attack on a business, Tobin said.
“IT teams should increase awareness for this risk of attack and notify and make their employees aware,” she advised. “For enterprise devices, installation of software outside the authorized app stores should be prohibited and periodic device (health) checks should be administered to scan for improper software, such as TangleBot.”
TangleBot is the latest in a stream of attacks against Android devices, such as the FluBot—which spread throughout Europe as an SMS package delivery scam—FlyTrap and Barcode Scanner. Although less common, malware is used against Apple devices on occasion.