Skip to content
New malware seizes COVID-19 to target Android users

New form of malware experts call “TangleBot” builds on interest in COVID-19 to trick Android users in the United States and Canada to click on a link that will infect their cell phones, according to reports. mobile analysts and email security company Cloudmark.

Cloudmark says the “smart and complicated” malware is sending Android users a text message claiming to have the latest COVID-19 guidelines in their area or notifying them that their third COVID-19 vaccine appointment has been scheduled. When users click on the link provided, they are prompted to update their phone’s Adobe Flash Player, which instead installs the virus on their phone, according to Cloudmark.

Here’s what such a text message might look like, according to Cloudmark:

New malware seizes COVID-19 to target Android users
Possible TangleBot message that hackers would send to try to trick users into clicking the malware link


“Once that happens, the TangleBot malware can do a ton of different things,” Ryan Kalember, executive vice president of cybersecurity at ProofPoint, the parent company of Cloudmark, told CBS News. “He can access your microphone, he can access your camera, he can access SMS, he can access your call logs, your internet, your GPS so that he knows where you are,” he said. added Kalember.

Kalember said hackers had been using TangleBot for “weeks” and the impact could potentially be “very widespread”. However, Android does have some virus protections. Before downloading the malware, users are warned by Android about the dangers of software from “unknown sources” and a series of permission boxes are displayed before the phone gets infected.

“What makes TangleBot pretty interesting right now is that they use some incredibly cool decoys that all match the kinds of things we hear about in the news with COVID, whether we’re talking about the booster or other stuff that we are talking about. you are likely to see it on the front page of whatever site you visit, ”Kalember said.

According to Kalember, the TangleBot malware has the ability to show hacked users a “superimposed” screen that looks genuine but is rather a fake window executed by attackers to steal information. These overlays are used to hack bank credentials, as users may believe that they are logging into their mobile banking services while typing their information on a fake screen, which then forwards the information to the hackers.

” I hope that [users] would remember the Adobe Flash prompt, but after that they probably won’t see much of TangleBot, ”Kalember said. “Like most mobile malware, it is relatively stealthy in terms of appearance.

Once the malware is installed on the device, “it’s quite difficult to remove it,” according to Kalember, and the stolen information can be monetized in the future. Hackers who steal credentials in this way often sell them online, rather than using them directly themselves. Cloudmark analysts note that “there is a growing market for personal and detailed account data” on the dark web.

“There are a number of ways that infected Android devices can be monetized,” Kalember said. “Even if they don’t commit bank fraud right away, there could be plenty of other ways to monetize these stolen credentials,” he added.

Kalember added that if an Android user discovers the TangleBot malware and is somehow able to remove it, attackers can still just keep the stolen information without taking immediate action, tricking victims into believing their information was not hacked.

With criminals “increasingly using mobile messaging” as a method of attack, Cloudmark says users should not respond to unsolicited commercial messages and think twice before providing their number to commercial entities. Cyber ​​business analysts advise users to refrain from clicking on links provided in text messages and beware of those that include a package delivery warning or notification.

Kalember pointed out that this discovery does not mean that there is a security hole with Android. Cloudmark analysts and engineers have worked with Google to make sure the company can detect the threat and notify users.

“This exploits the user’s vulnerability,” Kalember said. “Basically, you are tricked into installing the attacker’s code.”