A new malware targeting Android users takes advantage of the COVID-19 pandemic in attempts to infect cell phones.  The new malware, “TangleBot”, relies on a person’s interest in COVID-19 in order to trick the user into clicking a link that will infect their phone with malware according to analysts at Cloudmark, a mobile and email Security Company.

Cloudmark says that the “clever and complicated” malware sends Android users a text message that claims to have the latest COVID-19 guidance in their area, or informs them that their third COVID-19 vaccination appointment has been scheduled. If the user clicks on the link in the text message, they’re asked to update the Adobe Flash player on their phone, which instead installs the virus.

According to Cloudmark, the text message could look similar to the image below:

“Once that happens, the TangleBot malware can do a ton of different things,” says Ryan Kalember, executive vice president of cybersecurity at Cloudmark’s parent company Proofpoint. “It can access your microphone, it can access your camera, it can access your SMS, it can access your call logs, your internet, your GPS so it knows where you are,” Kalember added.

Kalember noted that hackers have been using TangleBot for “weeks”, and that its impact could be “very widespread.” However, Android has protections in place against the malware. Prior to download, users are given a warning by Android about the dangers of downloading software form “unknown sources” and a series of permissions boxes are displayed before the phone is infected.

“What is making TangleBot fairly interesting right now is that they are using incredibly fresh lures that all map to the sorts of things that we’re hearing about in the news with COVID, whether we are talking about the booster or other things that you are likely to see on the front page of whatever news site you go to,” Kalember said.

TangleBot has the ability to show hacked users an “overlay” screen that appears authentic but is instead a fake window that attackers use to steal information. The overlays that are being used to gain access to banking credentials, as users may not realize that they are logging into their bank accounts through a fake screen that sends their information to the attackers.

“I would hope that [users] would remember the Adobe Flash prompt but after that they probably won’t see very much from TangleBot,” Kalember states. “Like most pieces of mobile malware, it is relatively stealthy in terms of its appearance.”

Once TangleBot is installed on an Android device it’s hard to remove it, and the stolen information can be monetized well into the future because hackers usually sell this information rather than keeping it for themselves. Cloudmark analysts agree that “there is a growing market for detailed personal and account data” on the dark web.

Kalember says “The infected Android devices can be monetized in lots of different ways. Even if they don’t do banking fraud right away, there might be lots of other ways to monetize those stolen credentials.”

Another scary element of TangleBot malware is that if an Android user discovers it and is able to remove it, the attackers can just hold on to the information they have already collected and use it at a future date – leaving the victims with a false sense of security.

Cyber criminals are using mobile messaging more and more as a way to attack unsuspecting users. Knowing this, Cloudmark says users should not respond to unsolicited commercial messages and to use caution when providing your number to a commercial service. Analysts at Cloudmark as advice against clicking on links in text message and to be especially wary of ones that include a warning or a package delivery notification.

Kalember stresses that the discovery of TangleBot does not mean that there is a security vulnerability with Android. Cloudmark analysts and engineers worked with Google to ensure they can detect the malware threat and warn users.

“This is exploiting the user’s vulnerability,” says Kalember. “You are basically being tricked into installing the attacker’s code.”

Story via CBS News