{
	"id": "7f3224e3-1678-4b6c-8015-7f2fe9265a04",
	"created_at": "2026-04-06T00:19:43.678803Z",
	"updated_at": "2026-04-10T03:21:53.189272Z",
	"deleted_at": null,
	"sha1_hash": "bdf12110aee126792d871f8d28e35376af94b689",
	"title": "TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures | Cloudmark EN",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 518614,
	"plain_text": "TangleBot: New Advanced SMS Malware Targets Mobile Users\r\nAcross U.S. and Canada with COVID-19 Lures | Cloudmark EN\r\nBy September 23, 2021 Felipe Naves, Andrew Conway, W. Stuart Jones, and Adam McNeil\r\nPublished: 2021-09-21 · Archived: 2026-04-05 21:48:27 UTC\r\nShare with your network!\r\nKey Takeaways\r\nA clever and complicated new SMS malware attack has been discovered in the United States and Canada.\r\nThis malware, coined TangleBot, can directly obtainpersonal information, control device interaction with\r\napps and overlay screens, and steal account information from financial activities initiated on the device.\r\nOverview\r\nCloudmark threat analysts have discovered a new piece of mobile malware spreading via SMS and currently\r\ntargeting Android mobile users in the United States and Canada.TangleBot uses SMS text message lures with\r\ncontent about COVID regulations and the third dose of COVID vaccines to trick mobile subscribers into\r\ndownloading malware that compromises the security of the device and configures the system to allow for the\r\nexfiltration of confidential information to systems controlled by the attacker(s). The malware has been given the\r\nmoniker TangleBot because of its many levels of obfuscation and control over a myriad\r\nof entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, and\r\ncamera and microphone.\r\nTangleBot Malware Function\r\nFollowing in the footsteps of the FluBot SMS Android malware that has proven to be an ongoing threat in Europe\r\nand the UK, TangleBot attempts to trick mobile users into downloading malicious software by sending COVID-19 warning notifications (Figures 1 and 2).\r\nhttps://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19\r\nPage 1 of 6\n\nFigure 1.\r\nFigure 2.\r\nShould a user fall victim and click on the link in the message, a website appears notifying the user\r\nthat the Adobe Flash Player on the device is out of date and must be updated. If the user clicks on\r\nthe subsequent dialog boxes, TangleBot malware is installed on the Android device.\r\nTangleBot is then granted privileges to access and control many device functions (Figures 3 through 5),\r\nincluding contacts, SMS and phone capabilities, call logs, internet, camera and microphone, and GPS.\r\nhttps://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19\r\nPage 2 of 6\n\nFigure 3.\r\nhttps://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19\r\nPage 3 of 6\n\nFigure 4.\r\nhttps://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19\r\nPage 4 of 6\n\nFigure 5.\r\nThe attacker can now do the following: \r\nmake and block phone calls\r\nsend, obtain, and process text messages\r\nrecord the camera, screen, or microphone audio or stream them directly to the attacker\r\nplace overlay screens on the device covering legitimate apps and screens\r\nimplement other device observation capabilities\r\nhttps://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19\r\nPage 5 of 6\n\nThe ability to detect installed apps, app interactions, and inject overlay screens is extremely problematic. As we\r\nhave seen with FluBot, TangleBot can overlay banking or financial apps and directly steal the victim’s account\r\ncredentials. Also, TangleBotcan use the victim’s device to message other mobile devices spreading throughout the\r\nmobile network. The capabilities also enable the theft of considerable personal information directly from the\r\ndevice and through the camera and microphone, spying on the victim. Harvesting of personal information and\r\ncredentials in this manner is extremely troublesome for mobile users because there is a growing market on the\r\ndark web for detailed personal and account data. Even if the user discovers the TangleBot malware installed on\r\ntheir device and is able to remove it, the attacker may not use the stolen information for some period of\r\ntime, rendering the victim oblivious of the theft.\r\nMobile Users Should Be Aware\r\nMobile users should be alert and on the lookout for these unexpected SMS warning messages and follow\r\nthese SMS best practices:\r\nDo’s\r\n1. Be on the lookout for suspicious text messages. Criminals are increasingly using mobile messaging and SMS\r\nphishing as an attack vector.  \r\n2. Carefully consider before providing your mobile phone number to an enterprise or other commercial entity.  \r\n3. If you receive a message from any enterprise, includingsome sort of warning or package delivery notification\r\nthat contains a web link, use your device’s browser to access the enterprise’s or service’s website directly. Do not\r\nuse the web link provided in the text message. Do this as well for any offer codes you receive by entering them\r\ndirectly into the enterprise’s or service’s website from your browser.\r\n4. Report SMS phishing and spam. Use the spam reporting feature in your messaging client if it has one, or\r\nforward spam text messages to 7726, which spells “SPAM” on the phone keypad.  \r\n5. Be careful downloading and installing new software to your mobile device and read install prompts closely,\r\nlooking out for information regarding rights and privileges that the app may request.  \r\nDon’ts\r\n1. Don’t respond to any unsolicited enterprise or commercial messages from a vendor or enterprise you don’t\r\nrecognize. Doing so will often confirm that you’re a “real person.”\r\n2. Don’t install software on your mobile device outside a certified app store from the vendor or Mobile Network\r\nOperator.\r\nFor more information on our security platform for mobile messaging, please\r\nvisit: https://www.cloudmark.com/en/s/products/cloudmark-security-platform-for-mobile.\r\nSource: https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid\r\n-19\r\nhttps://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"
	],
	"report_names": [
		"tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"
	],
	"threat_actors": [],
	"ts_created_at": 1775434783,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bdf12110aee126792d871f8d28e35376af94b689.pdf",
		"text": "https://archive.orkl.eu/bdf12110aee126792d871f8d28e35376af94b689.txt",
		"img": "https://archive.orkl.eu/bdf12110aee126792d871f8d28e35376af94b689.jpg"
	}
}