Security researchers from Cloudmark have discovered a new piece of mobile malware strain spread via SMS that cybercriminals are using to target users across the U.S. and Canada with COVID-19 lures.

TangleBot uses SMS text message lures with content about COVID regulations and the third dose of COVID vaccines to trick mobile subscribers into downloading malware that compromises the security of the device and configures the system to allow for the exfiltration of confidential information to systems controlled by the attacker(s). 

The malware has been given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone.

TangleBot can overlay banking or financial apps, directly steal the victim’s account credentials, and use the victim’s device to message other mobile devices spreading throughout the mobile network. Researchers say the capabilities also enable the theft of considerable personal information directly from the device and through the camera and microphone, spying on the victim.

Harvesting of personal information and credentials in this manner is exceptionally troublesome for mobile users because there is a growing market on the dark web for detailed personal and account data, Cloudmark says. Even if the user discovers the TangleBot malware installed on their device and can remove it, the attacker may not use the stolen information for some time, rendering the victim oblivious of the theft.

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company, explains, “Tanglebot is the latest in a constant stream of malicious mobile apps that target individuals with social engineering and convince targets to download malware. Malware like this, which is broadly applicable, is usually blasted out en masse to mobile users through messaging platforms like SMS, third-party messaging apps, and social media. Earlier this year, FluBot ran rampant across Europe. It was delivered through SMS and posed as a parcel delivery alert, only to ask the victim to download an app that’s laced with this dangerous banking trojan.

Campaigns like this are often built with artifacts of previously-used malware. Leveraging a security solution with massive data supporting it is key to keeping ahead of these types of malicious campaigns. Thanks to its dataset of security telemetry from over 200 million devices and 150 million mobile apps, the Lookout Security Graph automatically detected this malware as Medusa and pushed coverage to Lookout customers without anyone needing to lift a finger. 

Social engineering that uses the pandemic as a lure continues to be a major issue globally. At the start of the pandemic, between Q4 of 2019 and Q1 of 2020, Lookout data shows a 30% jump of both enterprise and consumer users that encountered at least one phishing link. Upon further investigation, most of the phishing links being used at that time had something to do with the pandemic. It’s advantageous for attackers to leverage socially uncertain situations to make their phishing campaigns more effective. People are more likely to let their guard down and interact with something online that promises information they need. For example, at the start of the pandemic, lots of attacks used lures around closures, government aid, and contact tracing to trick people into downloading malware or giving up login credentials for sensitive data. 

Now, a year later, Lookout data shows a 55% increase in mobile phishing exposure from Q4 of 2020 to the entire first half of 2021. Attackers are coming full circle and using the same tactics with slightly different lures in order to spread malware. Now, there are messages around vaccines, the Delta variant, and re-opening information that attackers know their targets crave. 

 Phishing, especially on mobile, is a massive headache for enterprise security teams. Mobile devices offer countless channels for attackers to deliver socially engineered phishing campaigns to swipe corporate login credentials or install advanced malware that can exfiltrate sensitive data from the device. For organizations that allow employees to use personal devices for work in a BYOD model, the risk is even higher considering the number of individual apps people use. Attackers can deliver campaigns through SMS, social media, third-party messaging apps, gaming and even dating apps. 

While IT and security teams know this is a challenge, they often have difficulty solving the problem because they need to secure both personal and work-enabled devices without violating end-user privacy. With personal privacy at the top of everyone’s mind, organizations need to leverage security solutions to protect both managed and unmanaged devices without violating employee privacy. 

Attackers also primarily use mobile phishing as a jumping-off point. Once they’ve stolen login credentials, they’re free to log in from any device. They’ll often hop over to their laptops and try to log into many standard cloud-based services such as Google Workspace, Office 365, AWS, Workday, or Salesforce with that employee’s compromised credentials. Once they’re inside the infrastructure, the attacker can move laterally and start to find out where the crown jewels are hidden. From there, they can encrypt that data to execute a ransomware attack or exfiltrate it for sale on the dark web. This attack chain is why organizations need to have visibility and access control for users, their devices, the apps they want to access, and the data stored within them. 

To keep ahead of attackers who want to leverage this attack chain, organizations everywhere should implement security across mobile devices with mobile threat defense (MTD), protect cloud services with cloud access security broker (CASB), and implement modern security policies on their on-prem or private apps with Zero Trust Network Access (ZTNA). A security platform that can combine MTD, CASB, and ZTNA in one endpoint-to-cloud solution that also respects end-user privacy regardless of the type of device they’re on is a crucial part of implementing zero trust across the infrastructure and keeping ahead of the latest cybersecurity threats.”