BACKGROUND:

It has been reported that security researchers from Proofpoint company Cloudmark have discovered a new piece of mobile malware strain spread via SMS that cybercriminals are using to target users across the US and Canada with Covid-19 lures. The malware has been dubbed TangleBot because of its many levels of obfuscation and how it is able to control a multitude of entangled device functions including contacts, SMS and phone capabilities, call logs, internet access, camera and microphone.

Experts Comments

September 28, 2021
Hank Schless
Senior Manager, Security Solutions
Lookout

Tanglebot is the latest in a constant stream of malicious mobile apps that target individuals with social engineering and convince targets to download malware. Malware like this, which is broadly applicable, is usually blasted out en masse to mobile users through messaging platforms like SMS, third-party messaging apps, and social media. 

Earlier this year, FluBot ran rampant across Europe. It was delivered through SMS and posed as a parcel delivery alert, only to ask the victim to download an

.....Read More

Tanglebot is the latest in a constant stream of malicious mobile apps that target individuals with social engineering and convince targets to download malware. Malware like this, which is broadly applicable, is usually blasted out en masse to mobile users through messaging platforms like SMS, third-party messaging apps, and social media. 

Earlier this year, FluBot ran rampant across Europe. It was delivered through SMS and posed as a parcel delivery alert, only to ask the victim to download an app that’s actually laced with this dangerous banking trojan. Campaigns like this are often built with artifacts of previously-used malware. Leveraging a security solution with a massive data supporting it is key to keeping ahead of these types of malicious campaigns. Thanks to its dataset of security telemetry from over 200 million devices and 150 million mobile apps, the Lookout Security Graph automatically detected this malware as Medusa and pushed coverage to Lookout customers without anyone needing to lift a finger.  

Social engineering that uses the pandemic as a lure continues to be a major issue globally. At the start of the pandemic between Q4 of 2019 and Q1 of 2020, Lookout data shows a 30% jump of both enterprise and consumer users that encountered at least one phishing link. Upon further investigation, a majority of the phishing links being used at that time had something to do with the pandemic. 

It’s advantageous for attackers to leverage socially uncertain situations in order to make their phishing campaigns more effective. People are more likely to let their guard down and interact with something online that promises information they need. For example, at the start of the pandemic lots of attacks used lures around closures, government aid, and contact tracing to trick people into downloading malware or giving up login credentials for sensitive data. 

Now, a year later, Lookout data shows a 55% increase in mobile phishing exposure from Q4 of 2020 to the entire first half of 2021. Attackers are coming full circle and using the same tactics with slightly different lures in order to spread malware. Now, there are messages around vaccines, the Delta variant, and re-opening information that attackers know their targets crave. 

Phishing, especially on mobile, is a massive headache for enterprise security teams. Mobile devices offer countless channels for attackers to deliver socially engineered phishing campaigns with the goal of swiping corporate login credentials or installing advanced malware that can exfiltrate sensitive data from the device. For organizations that allow employees to use personal devices for work in a BYOD model, the risk is even higher considering the number of personal apps people use. Attackers can deliver campaigns through SMS, social media, third party messaging apps, gaming and even dating apps. 

While IT and security teams know this is a challenge, they often have a hard time solving the problem because they need to secure both personal and work-enabled devices without violating end-user privacy. With personal privacy at the top of everyone’s mind, organizations need to leverage security solutions that can protect both managed and unmanaged devices without violating employee privacy. 

Attackers also primarily use mobile phishing as a jumping-off point. Once they’ve stolen login credentials, they’re free to log in from any device. Most frequently, they’ll hop over to their laptop and try to log into a number of common cloud-based services such as Google Workspace, Office 365, AWS, Workday, or Salesforce with that employee’s compromised credentials. Once they’re inside the infrastructure, the attacker can move laterally and start to find out where the crown jewels are hidden. From there, they can encrypt that data to execute a ransomware attack or exfiltrate it for sale on the dark web. This attack chain is why organizations need to have visibility and access control for users, their devices, the apps they want to access, and the data stored within it. 

To keep ahead of attackers who want to leverage this attack chain, organizations everywhere should implement security across mobile devices with mobile threat defense (MTD), protect cloud services with cloud access security broker (CASB), and implement modern security policies on their on-prem or private apps with Zero Trust Network Access (ZTNA). A security platform that can combine MTD, CASB, and ZTNA in one endpoint-to-cloud solution that also respects end-user privacy regardless of the type of device they’re on is a key part of implementing zero trust across the infrastructure and keeping ahead of the latest cybersecurity threats.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.