{
	"id": "87217387-7334-4299-81a4-b76a0d1f29a2",
	"created_at": "2026-04-06T00:09:48.472373Z",
	"updated_at": "2026-04-10T13:12:03.404696Z",
	"deleted_at": null,
	"sha1_hash": "25d8837aa9f6a87c79c2a5593b8ef11172a29526",
	"title": "Mobile Malware: TangleBot Untangled | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1832682,
	"plain_text": "Mobile Malware: TangleBot Untangled | Proofpoint US\r\nBy October 04, 2021 Felipe Naves, Adam McNeil, and Andrew Conway\r\nPublished: 2021-10-01 · Archived: 2026-04-05 13:21:09 UTC\r\nKey Takeaways   \r\nTangleBot is leveraging COVID-19 and electricity-themed lures in its effort to convince users to click on\r\nthe malicious link and install the malware. \r\nThe SMS links are only malicious via Android mobile devices and are currently only being sent to US and\r\nCanadian users. \r\nTangleBot, while sharing some similarities with the Medusa malware, has some key distinguishing features\r\nthat make it particularly threatening, such as its advanced behaviors and transmission abilities and its use of\r\na string decryption routine as part of its obfuscation.  \r\nOverview  \r\nOn the heels of a busy summer tracking the rapid spread of FluBot mobile malware across Europe and Australia,\r\nProofpoint researchers have observed yet another malware campaign, dubbed TangleBot, designed to steal mobile\r\nusers’ sensitive information. TangleBot started off using ever popular Covid-themed lures to trick Android users in\r\nCanada and the United States into installing malware on their devices. Proofpoint threat analysts recently covered\r\na high-level overview of TangleBot on the Cloudmark blog, warning mobile users of this threat. In this blog,\r\nresearchers dive into the malware, detailing what makes it interesting and why it has been coined TangleBot. \r\nProofpoint took notice of this malware prior to widespread distribution and worked with our partners at Google to\r\nensure Google Play Protect adequately detects the software (Figure 1) helping ensure protection for the greater\r\nglobal community.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 1 of 18\n\nFigure 1. Google Play Protect alert banner that the malicious software has been removed.\r\nThe SMS Lure \r\nProofpoint analysts first detected this attack in early September 2021. The initial lures came in the form of Covid-19 SMS messages masquerading as legitimate medical notifications. The messages contained links\r\nto URLs pertaining to Covid-19 or vaccine information and appeared legitimate to unsuspecting users.   \r\nA follow-up campaign has been detected using messaging related to a potential power outage and\r\ntargeting users of hydroelectric plants across the United States and Canada.  \r\n  Figure 2. Vaccine lure.                                      Figure 3. Covid lure.                                       \r\nFigure 4. Electricity lure. \r\nInstallation  \r\nIf users click the link contained within the text message, threat actors use the time-tested method of advising users\r\nAdobe Flash Player needs an update to display the content. There is obviously no need to worry\r\nthat Adobe stopped supporting this product after December 31, 2020, or that Adobe\r\nFlash Player has not been supported on any mobile device since 2012. Threat actors play on this lack of\r\nunderstanding to help eliminate unsatisfactory targets who may uncover the ruse too quickly.  \r\nUnsuspecting users are presented a series of dialogue boxes requesting acceptance of the permissions and\r\ninstallation from unknown sources. Proofpoint analysts counted no less than nine dialogue boxes that users must\r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 2 of 18\n\nclick prior to the full installation of the malware. While this may seem like a lot, the lesson learned from\r\nthe FluBot outbreak over the summer is that users tend to disregard the multiple warnings and permissions and\r\nstill download and install software from unknown sources. The following nine images highlight the experience of\r\na victim from APK download (the installer file for Android) through the completed installation of the software. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 3 of 18\n\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 4 of 18\n\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 5 of 18\n\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 6 of 18\n\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 7 of 18\n\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 8 of 18\n\nFigures 5-13. TangleBot installation windows. \r\nPermissions  \r\nTangleBot requests access to many permissions allowing for eavesdropping and the exfiltration of\r\nsensitive data. These permissions grant the ability for the malware to modify device configuration settings, record\r\nuser activity and tracking location, and transmit the stolen information back to systems controlled by\r\nthe threat actor.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 9 of 18\n\nFigure 14. Permissions requested by TangleBot. \r\nBehind the Scenes \r\nOutside of the observable malware behavior, there are several activities taking place, including the setup and\r\nconfiguration of the malware, and the capabilities of the threat actor post-infection. Below we will look at a few of\r\nthese capabilities. \r\nCommand and Control (C2) - Setup \r\nThe threat actor uses social media messaging to deliver covert C2 infrastructure information to infected devices.\r\nThe messaging in the detected sample arrives via Telegram but could easily be replaced by another online service\r\nof the threat actor’s choice. The information is disseminated within cryptic posts that would be unrecognizable\r\nwithout proper context. The malware contacts defined patterns within the specified social media pages. Once\r\nlocated, the malware can receive threat actor-supplied instructions. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 10 of 18\n\nFigure 15. Telegram page showing C2 information and network GET request \r\nCommand and Control (C2) – Commands \r\nAfter establishing connectivity with the infected device, dozens of instructions are used to interact with and\r\nexfiltrate data and other sensitive information.   \r\nSpecific instructions allow for the control and monitoring of infected devices, manipulation of user data and\r\nbrowser activity, and the theft of confidential information. The following is a short list of a few available C2\r\ncommands: \r\nCall and SMS control  Keylogging capability  Display Play Protect Settings \r\nHTML injection  USSD messaging  Set screen brightness \r\nScreen capture  Running apps  Remove Admin \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 11 of 18\n\nCamera capture  Track settings  Current Window ghost \r\nMicrophone capture  Autofill text boxes  Ignore Battery Optimizations \r\nUnblock apps  Copy Clipboard \r\nFunctionality  \r\nTangleBot allows the threat actor full control over infected devices. The control afforded by the malware allows\r\nfor the monitoring and recording of all aspects of user activity, including websites visited, collection of typed\r\npasswords, audio and video from the microphone/camera, and can harvest data including SMS activity and stored\r\ncontent. This allows for a full range of surveillance and collection capabilities.   \r\nHTML Injection \r\nHTML injection is used to generate fake application overlay screens. These screens may perfectly resemble the\r\nlogin pages of financial institutions and are designed to compromise the credentials of unsuspecting users. This\r\ntype of overlay functionality is likely what caused widespread financial loss from the FluBot malware\r\nfamily. Below is an example of the HTML injection.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 12 of 18\n\nFigure 16. TangleBot HTML injection. \r\nGPS Location Services \r\nTangleBot also uses GPS location data that enables actors to identify the location of the device, which\r\nhelps deliver relevant attack data based on geography, language, or other criteria chosen by the threat\r\nactor. This information may also be used for more nefarious purposes, including the tracking and identification\r\nof specific victims, and routine purposes such as helping to identify systems used by researchers and analysts.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 13 of 18\n\nFigure 17. TangleBot GPS tracking services. \r\nVoice Recording \r\nWe have identified several components used for voice recording using the microphone. Audio is recorded at times\r\ndetermined by the threat actor and the collected content is transmitted via RTSP to threat actor-controlled systems. RTSP, also known as Real Time Streaming Protocol, offers advantages in compatibility and\r\nflexibility and allows data transmissions via continuous streams rather than from a file on disk.   \r\nThe purpose of voice recording is multifaceted and can introduce the risk of second order effects or\r\nimpacts. Threat actors can use stolen voice information to impersonate voice biometric identification patterns in\r\nuse by major financial organizations. These voice biometrics help companies verify the identity of the caller\r\nbut could be used by crafty attackers to impersonate the victim or used to create Deepfake voice\r\ntechnology resulting in additional schemes or financial loss.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 14 of 18\n\nFigure 18. TangleBot RTSP functionality.\r\nMake a Call \r\nAnother capability uncovered within the TangleBot functionality is the ability to place a call from the victim\r\ndevice. This capability could be used to dial premium services resulting in financial loss or use the device to\r\ninitiate a call impersonating the victim. Combine this with voice biometric identification and it is not difficult to\r\nunderstand the potential danger this functionality poses. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 15 of 18\n\nFigure 19. TangleBot call functionality. \r\nA New Evolution in Familiar Malware \r\nTangleBot shares some similar behaviors with another piece of malware, Medusa, as noted by other researchers,\r\nincluding recently by our peers at Cyble. Those researchers, who have also looked into this same campaign, have\r\nproduced a detailed write up containing additional information not covered in this blog. That research attributes\r\nthe malware to the Medusa campaign from 2020.  \r\nWe distinguish between that campaign and this one because of interesting malware characteristics not previously\r\nseen in Medusa-related SMS campaigns. Characteristics relating to keylogging functionality, overlay ability, and\r\ndata exfiltration are routine behaviors in any malware arsenal. TangleBot, however, sets itself apart with advanced\r\nbehaviors and transmission capabilities, while showcasing the latest evolutions in malware attempting to thwart\r\nbiometric voice-authentication security systems. One final component of TangleBot not seen in the original\r\nMedusa is the advanced use of a string decryption routine helping to obfuscate and conceal the behavior of the\r\nmalware. All those factors combined are what led Proofpoint researchers to the updated nomenclature. \r\nFigure 20. String decryption routine. \r\nTangleBot Name  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 16 of 18\n\nProofpoint researchers chose the name TangleBot to represent this malware due to the many obfuscation layers\r\nused to hide the purpose and functionality of the software. The malware uses various obfuscating techniques\r\nincluding hidden .dex files, modular and functional design characteristics, minified code, and excessive unused\r\ncode. Taken together, this is a tangled mess of code that is both difficult and timely to dissect.   \r\nFigure 21. Obfuscation using mathematical equations to encrypt strings.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 17 of 18\n\nOutlook \r\nIf the Android ecosystem has shown us anything this summer, it is that the Android landscape is rife with clever\r\nsocial engineering, outright fraud, and malicious software all designed to deceive and\r\nsteal mobile users’ money and other sensitive information. These schemes can appear quite convincing and may\r\nplay on fears or emotions that cause users to let down their guard.    \r\nEmergingThreats PRO Detection Rules \r\n2850020: Android TangleBot Activity \r\n2850021: Android TangleBot CnC Response \r\nIndicators of Compromise \r\nFilename(s):   Flash_Player.apk \r\nMD5:     5E176F2514481137618DB5592FD84D13 \r\n2F0693ADF07EB36220C04F1DE2385029 \r\nPackage name:  com.ltjkqj.erfycvar \r\ncom.ltrmht.nfzyqttg \r\nMainActivity pkg names: com.ltjkqj.erfycvar.MainActivity \r\nIcon:  YouTube  \r\nServer:     sock.godforgiveuss.live \r\nPort: 20027 \r\n         172.107.133.201:20027 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nhttps://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled"
	],
	"report_names": [
		"mobile-malware-tanglebot-untangled"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434188,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25d8837aa9f6a87c79c2a5593b8ef11172a29526.pdf",
		"text": "https://archive.orkl.eu/25d8837aa9f6a87c79c2a5593b8ef11172a29526.txt",
		"img": "https://archive.orkl.eu/25d8837aa9f6a87c79c2a5593b8ef11172a29526.jpg"
	}
}