SBN

Your Phone Is All Eyes and Ears

Malware campaigns have been terrorizing Android users
across the world this year.
Here,
we will talk about two ongoing campaigns
that have been spreading through SMS messages:
FluBot in Europe,
the UK and New Zealand,
and TangleBot in the US and Canada.

A different kind of Spanish flu

A few days ago,
New Zealand’s Computer Emergency Response Team (CERT NZ)
released an alert
in which they warned about FluBot malware
affecting Android phones.
The victims had received an SMS message
that tricked them into downloading the malware.
The CERT NZ reported that
“The wording of the text messages may be about a parcel delivery
or that photos of the recipient have been uploaded
or a voicemail.
In all cases there will be a link,
asking you to install an app
or a security update.”

FluBot was already known in Europe
and
the UK
since April
and apparently hit Spain first,
in late 2020.
Even before it expanded out of Spain, four suspects were arrested
in Barcelona
on suspicion of distributing the malware.
Clearly,
that didn’t stop its spreading.
Apart from being written in the respective languages of each country,
the messages are like the ones currently spreading in New Zealand.
The user gets infected with FluBot
when they install the application.
After that,
it can access the phone contacts list
and keep on spreading.
But, as it’s usual in smishing attacks,
the main function of FluBot is
to reveal the victim’s credentials to the attacker.
It produces overlay screens
(screens that appear on top of another application in use)
resembling login pages of legitimate banking applications,
or a Google Play verification screen
asking for credit card information,
and proceeds to collect the sensitive information
typed by the victim.

As for how FluBot transmits the data,
it uses domain generation algorithms.
Basically,
it constantly switches to new domain names
where it can meet the attacker
and pass on the information.

The fact that it keeps changing its lures
makes FluBot a resistant kind of sickness.
Most recently,
FluBot is trying to fool users
by telling them that they’ve already been infected.
It prompts the user to tap on “Install security update”
in order to remove the malware,
only to really get infected.

FluBot screen

Figure 1. Screen prompting to download FluBot. Source: cert.gov.nz.

Update Flash Player? Sure, why not?!

A more recent malware,
and arguably more dangerous,
is TangleBot.
It was discovered last month
by researchers at Proofpoint.
Some of the SMS messages crafted to spread it
act as notifications about COVID-19 vaccination appointments
or new regulations;
others falsely inform about potential local power outages.
The message provides a legit-looking link.
When the user taps on it,
the game is on.

Probably the first noticeable red flag is that the user is presented
with a request to update Adobe Flash Player in order to visualize the
content. As the success of this campaign has proven, many people are not
aware or are too distracted to remember that, starting this year, Adobe
stopped
supporting

Flash Player and hasn’t supported it anyways on Android devices
since 2012.
There. Inform your loved ones.

A second red flag should be
that the user is asked to go to Settings
and allow the installation of applications
from unknown sources.
Once installed,
this fake Flash Player
(henceforth, TangleBot)
asks to have full control of the device.
And it means just that.
Take a quick look at Figure 2.
Those are the permissions requested by TangleBot.

TangleBot permissions

Figure 2. Permissions requested by TangleBot. Source:
proofpoint.com

From the user’s side of the story,
they have surrendered their device configuration settings,
functionalities and information to TangleBot.
Now,
from the attacker’s side,
it’s a matter of communicating with the malware
to gain access.
They do this by sending cryptic messages to the device
through social media messaging.
The messages may seem like gibberish but,
to the malware,
they are orders.
Once connected to the device,
the attacker goes into full surveillance mode.
As reported
by
the researchers,
“The control afforded by the malware allows
for the monitoring and recording
of all aspects of user activity,
including websites visited,
collection of typed passwords,
audio and video from the microphone/camera,
and can harvest data
including SMS activity and stored content.”

Just like Flubot,
TangleBot can generate overlay screens
resembling login pages of known applications
and access the victim’s contacts
to propagate by sending SMS messages to them.
But one of the characteristics
that has been found to set TangleBot apart
from other malware
is that it allows the attacker
to record audio
and stream it in their systems.
This poses the risks of identity theft
and impersonation.
In relation to this,
the researchers also highlight
the possibility of attackers dialing costly premium services,
resulting in financial loss for the victim.

Finally,
a characteristic that earned TangleBot its name
is the complexity of techniques
that it uses to hide its functionality
and prevent being detected by anti-malware software.
This behavior is commonly known as “obfuscation.”
The researchers say,
“The malware uses various obfuscating techniques
including hidden .dex files
[into which Android programs are compiled],
modular and functional design characteristics,
minified code,
and excessive unused code.
Taken together,
this is a tangled mess of code
that is both difficult and timely to dissect.”

Any tips other than not tapping?

In our post about smishing,
we advise to avoid opening links in SMS messages
and to contact the supposed sender
through their official communication channels instead.
But,
of course,
we’ve learned a few other things
from the malware campaigns we described here.
Namely,
beware of any application asking you
to allow the installation of applications
from unknown sources
and always make sure to check the permissions
an application requests.
Oh!
And remember that you won’t be needing Adobe Flash Player!

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jason Chavarría. Read the original post at: https://fluidattacks.com/blog/android-flubot-tanglebot/