⚠️ Overview

TangleBot is an Android remote access trojan (RAT) first discovered in September 2021 by Cloudmark (now part of Zscaler ThreatLabz). Its operators remain unidentified, but the malware targets mobile users in North America, primarily through SMS phishing campaigns that impersonate shipping carriers like DHL and FedEx. It falls under the categories of banking trojan, spyware, and RAT, leveraging Android Accessibility Service to perform overlay attacks and steal credentials.

🔧 Technical Capabilities

TangleBot spreads via smishing (SMS phishing) with malicious links that lead to a fake Adobe Flash update page, prompting the user to install a trojanized APK. Once installed, it requests Accessibility Service permissions to monitor screen content, intercept two-factor authentication codes, and perform clickjacking attacks. The malware can exfiltrate SMS messages, call logs, contact lists, and clipboard data; it also records audio via the microphone and captures images using the camera. Its command-and-control (C2) infrastructure uses encrypted HTTP/HTTPS communication with dynamic domains, often hosted on bulletproof hosting providers. Persistence is achieved through Device Administrator abuse and by hiding the app icon from the launcher. Evasion techniques include obfuscated code, dynamic payload loading, and checking for emulators or security tools before executing malicious routines. MITRE ATT&CK techniques employed include T1529 (System Information Discovery), T1412 (Audio Capture), and T1428 (Screen Capture).

📜 History & Notable Incidents

First identified in September 2021, TangleBot campaigns escalated in October 2021, targeting thousands of users across the United States and Canada with fake DHL and FedEx delivery notifications. No high-profile corporate victims have been publicly confirmed, but individual financial accounts were compromised through overlay phishing. No specific CVEs are associated with TangleBot as it relies on social engineering rather than exploiting software vulnerabilities. Law enforcement actions have not been reported against the group behind this malware.

🔍 Detection Indicators

Known package names include com.android.flashupdate and com.android.systemflash, though variants use randomized names. Behavioral signatures include requests for Accessibility Service and Device Admin, as well as unusual background HTTP POST requests to IP addresses associated with AS399718 (Hosting Ukraine) or AS60577 (Hosting Ukraine). Network IOCs include C2 domains like flashupdatedata[.]com and systemfirmware[.]live. Mutex names and registry keys are not applicable on Android; instead, persistent background services named FlashUpdateService are observable. User-Agent strings often mimic Dalvik/2.1.0 (Linux; U; Android 11; SM-G998B).

☠️ Risk & Impact

TangleBot causes data exfiltration of SMS, contacts, and financial credentials, enabling identity theft and unauthorized transactions. Victims often suffer financial losses through account takeover of banking and payment apps. The malware primarily affects individual mobile users in the logistics, retail, and consumer sectors in North America, though no large-scale corporate breaches have been documented.

🛡️ Mitigation

Defensive measures include educating users to avoid clicking unsolicited SMS links, disabling installation from unknown sources in Android settings, and deploying mobile threat defense (MTD) solutions such as Zscaler Mobile Security or Lookout. Detection rules can monitor for Accessibility Service abuse and anomalous outbound HTTP traffic; regular software updates and use of Google Play Protect also mitigate risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.