This new Android malware gets full control of your phone to steal passwords and info

TangleBot users a keylogger to steal information entered into websites - and it can monitor the location of victims, as well as secretly recording audio and video.
Written by Danny Palmer, Senior Writer

Another new form of Android malware is being spread via text messages with the aim of luring victims into clicking a malicious link, and inadvertently allowing cyber criminals to gain full control of the device to steal personal information and bank details. 

Dubbed TangleBot, the malware first appeared in September and once installed gains access to many different permissions required for eavesdropping on communications and stealing sensitive data, including the ability to monitor all user activity, use the camera, listen to audio, monitor the location of the device, and more. Currently, it's targeting users in the US and Canada. 

The campaign has been detailed by cybersecurity researchers at Proofpoint who note that while the initial lures came in the form of SMS messages masquerading as information about Covid-19 vaccination appointments and regulations, more recent efforts have falsely claimed local power outages are about to occur. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

In each case, the potential victim is encouraged to follow a link referencing the subject of the lure for more information. If they do, they're told that in order to view the content on the website they're looking for, Adobe Flash Player needs to be updated. Adobe stopped supporting Flash in December 2020 and it hasn't been supported on mobile devices since 2012, but many users probably won't know this. 

Clicking the link leads victims through a series of nine dialogue boxes requesting acceptance of the permissions and installation from unknown sources that, if accepted, provide cyber attackers with the ability to setup and configure the malware. 

TangleBot provides the attackers with full control over the infected Android device, allowing them to monitor and record all user activity, including knowing websites visited, stealing usernames and passwords using a keylogger, while also allowing the attackers to record audio and video using the microphone and camera.  

The malware can also monitor data on the phone including messages and stored files, as well as monitoring the GPS location, allowing what researchers describe as a "full range of surveillance and collection capabilities". 

SEE: Don't want to get hacked? Then avoid these three 'exceptionally dangerous' cybersecurity mistakes

SMS messages have become a common vector for spreading malware with FluBot malware being particularly prominent in recent months. FluBot often spreads via text messages claiming the victim has missed a delivery and, like TangleBot, tricks users into downloading malware that allows cyber criminals to steal sensitive information. The two forms of malware are unlikely to come from the same cyber-criminal group, but the success and potency of both demonstrates how SMS has become an attractive means of spreading campaigns. 

"If the Android ecosystem has shown us anything this summer, it is that the Android landscape is rife with clever social engineering, outright fraud, and malicious software all designed to deceive and steal mobile users' money and other sensitive information," said Proofpoint researchers in a blog post. 

"These schemes can appear quite convincing and may play on fears or emotions that cause users to let down their guard," they added. 


Editorial standards