TangleBot Android Malware

The TangleBot Android malware is an extremely powerful threat that is capable of performing numerous intrusive activities on the devices it infects. The threat was first discovered by the cybersecurity analysts at Cloudmark. According to their findings, the attack campaigns deploying TangleBot are targeted mainly at users residing in the United States and Canada. 

The Attack Chain

The attacks begin with the dissemination of bait SMS messages that contain a lure sentence and a corrupted link. These messages take advantage of the COVID-19 pandemic by mentioning new regulations or a 3rd booster shot. Users who click on the provided link are taken to a dedicated website displaying a warning message about the device Adobe Flash Player being out of date and needing an update. Ultimately, the dialog boxes lead to TangleBot being delivered to the victim's Android device.

The Threatening Functionality

The threat hides its code and nefarious activities under multiple layers of obfuscation. It also assumes control over multiple device functions and uses them to obtain various personal data. TangleBot can make or block phone calls, send, intercept, and scan text messages, make recordings, or stream through the device's camera, microphone and screen. Like most Android malware it also can use overlay techniques to obtain information. Usually, the overlays target banking or payment applications so the collected account credentials can lead to serious consequences for the victim.