Android phone users in Canada and the United States should be wary of a new cybercrime technique that can steal personal information, control interaction with apps and steal account information from phone financial activities.
That’s the warning coming from California-based global online security firm Proofpoint whose threat analysts say short messaging services (SMS) are being targeted through malware attacks.
“Harvesting of personal information and credentials in this manner is extremely troublesome for mobile users because there is a growing market on the dark web for detailed personal and account data,” a Proofpoint report released Sept. 21 said.
Indeed, the technocrooks can even use an Android’s camera and microphone to spy on the phone’s owner.
The technique is called smishing, a phishing cybersecurity attack done over mobile text messaging.
“Mobile users should be on the lookout for this extremely advanced smishing lure that relies on multiple layers of obfuscation and entangled functions to cleverly hide its download as a software update that can take control of your phone and share personal information with the attacker,” said Jacinta Tobin, Proofpoint’s vice-president of Cloudmark Operations.
Those entangled functions have led to the malware being dubbed Tanglebot.
“TangleBot uses SMS text message lures with content about COVID regulations and the third dose of COVID vaccines to trick mobile subscribers into downloading malware, which then takes over their phone,” the Proofpoint report said.
If users click on the link about a third dose, a website appears notifying the user that the Adobe Flash player on the device is out of date and must be updated. If subsequent dialog boxes are clicked on, the TangleBot malware is installed on the Android.
Once that malware is installed, TangleBot is granted privileges to access and control many device functions, including contacts, SMS and phone capabilities, call logs, internet, camera and microphone, and GPS, Proofpoint found.
“The attacker can now make and block phone calls; send, obtain, and process text messages; record the camera, screen, or microphone audio or stream them directly to the attacker; place overlay screens on the device covering legitimate apps and screens; and implement other device observation capabilities.”
Investigators said the ability to detect installed apps, app interactions, and inject overlay screens is extremely problematic as it allows for the theft of financial information.
Derek Manky is chief of security insights and global threat alliance for Fortinet, a California-based company with a research and development centre in Burnaby.
He said smishing is something that is growing in use by cybercriminals. And, Manky said, while technology users are becoming more educated, perhaps more suspicious of odd things on their devices, cybercrooks are increasingly choosing to steal from infected phones.
“It’s all too easy for cybercriminals to leverage more phones to leverage financial information,” he said.
He warned of taking advantage of the ease of being click-happy in downloading apps. Instead, he said, take the time to research the app.
“If it’s published in the last few days, that’s a big red flag,” he said. Moreover, he said, have other ways of identifying something being sent than just a text message.
Proofpoint warns Android users to:
- watch for suspicious text messages;
- carefully consider before providing mobile phone numbers to enterprises or other commercial entities;
- be leery of package delivery notifications that contain a web link;
- report smishing and spam; forward spam text messages to 7726, which spells “SPAM” on the phone keypad;
- be careful downloading and installing new software to your mobile device and read install prompts closely, looking out for information regarding rights and privileges that the app may request;
- not respond to any unsolicited enterprise or commercial messages from a vendor or enterprise you don’t recognize. Doing so will often confirm that you’re a real person, and;
- not install software on your mobile device.
And, said Manky, make sure you’re using multi-factor authentication.