Nov 2, 2021
0 0

TangleBot Android malware hijacks phone to steal login credentials

Written by

Tags, , , , , , ,
Super secure VPN
Minimal data logging
Favorable privacy policy

It is a fact that SMS messages have become a preferred attack vector to spread malicious software and infect mobile devices. Recently, Hackread reported the notorious FluBot SMS Android malware that targeted mobile devices across Europe and the UK.
Now, there is another Android malware on the block called TangleBot, which employs more or less similar tactics to gain control of the device- the problem is that it is far more invasive than FluBot.
According to Cloudmark and Proofpoint cybersecurity researchers, both of which reported the new SMS-based (SMishing) malware campaign involving TangleBot, when TangleBot is installed on a device, it gains access to several different permissions to eavesdrop on user communications.
The malware also steals sensitive data stored on the device and monitors just about every user activity such as camera usage, audio conversations, and location, etc. Furthermore, the malware takes full control of the targeted device, including accessing banking data and can penetrate the deepest corners of Android OS.
At the moment, TangleBot is targeting users in the USA and Canada. The malware gets installed when an unsuspecting user clicks on a malicious link received in an SMS message.

As soon as the link is clicked, malware operators get complete control of the device, from websites visited stealing login credentials and passwords since it uses a keylogger and spies on the user.
Hence, the malware is equipped with a full range of surveillance and data-stealing features.
According to Proofpoint researchers, the initial lure comes as an SMS message, and this message is masqueraded as information about COVID-19 vaccination regulations/appointment-related information.
SMS with COVID and vaccine lures (Left, center) – Permissions requested by TangleBot (Right) Image: Cloudmark
More recently, researchers have noted a change in attackers’ strategy as there’s a new message that informs about fake local power outages that are due to occur.

Nevertheless, the aim behind both messages remains the same- to encourage potential victims to follow a link that supposedly offers detailed information. Once they are at the page, the user is asked to update to Adobe Flash Player to view the page’s content.
It is worth noting that Adobe stopped supporting Flash, back in Dec 2020, and it no longer supports Flash on mobile devices. Afterward, the victim goes through nine dialogue boxes to give acceptance to different permissions. If they agree to provide all the permissions, malware operators will initiate the malware configuration process.
In its blog post, researchers at Cloudmark explained that users should avoid checking out suspicious-looking SMS messages, never provide their mobile phone number to a commercial entity. If they receive a warning message containing a web link, they must access the enterprise or service’s website directly and refrain from opening the link.
Lastly, users in the United States can report SMS phishing spam and forward the text messages to 7726 (SPAM). Those in Canada can Canadian Anti-Fraud Centre by telephone at 1-888-495-8501.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Get the best stories straight into your inbox!

Don’t worry, we don’t spam
 App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom. is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.


Article Categories:

Comments are closed.