TangleBot employs more or less similar tactics as the recently-announced notorious FlutBot SMS Android malware that targets mobile devices.

TangleBot equally gains control of the device but in far more invasive manner than the FlutBot malware.

According to a press statement endorsed by Dr. Ikechukwu Adinde, director, Public Affairs at NCC, the disclosure on TangleBot was made in a recent security advisory made available to the Commission’s New Media and Information Security Department by the Nigerian Computer Emergency Response Team (ngCERT).

TangleBot Android malware is installed when an unsuspecting user clicks on a malicious link disguised as COVID-19 vaccination appointment-related information in an SMS message or information about fake local power outages that are due to occur.

The aim behind both or either of the messages (on COVID-19 or impending power outages) is to encourage potential victims to follow a link that supposedly offers detailed information.

Once at the page, users are asked to update applications such as Adobe Flash Player to view the page’s content by going through nine (9) dialogue boxes to give acceptance to different permissions that will allow the malware operators initiate the malware configuration process.

The immediate consequence to this, is that TangleBot gains access to several different permissions when installed on a device, allowing it to eavesdrop on user communications. The malware then steals sensitive data stored on the device and monitors almost every user activity, including camera use, audio conversations, and location, among other things.

Furthermore, the malware takes complete control of the targeted device, including access to banking data, and can reach the deepest recesses of the Android operating system.

The NCC, therefore, wishes to, once again, urge millions of telecom consumers in Nigeria to be wary of such wiles of cyber criminals, whose intent is to defraud unsuspecting Internet users.

In order to ensure maximum protection for Internet users in the country, the ngCERT has offered a number of preventive measures to be taken by the consumers.

These measures include an advisory to telecom consumers and other Internet users to refrain from opening Uniform Resource Locators (URLs) from unknown sources while using your mobile devices.

Additionally, telecom consumers should never respond or send reply to messages or call back a phone number that is associated with the text that they are unaware of.

Should any telecom consumer or Internet user become curious and wish to ascertain the authenticity of any call or messages and wish to probe the incident, such persons may do a web search of both the number and the message content.

The NCC hereby reiterates that mobile users are under obligation to practice safe messaging practices and avoid clicking on any links in texts, even if they appear to come from a legitimate contact. Indeed, it is important to be judicious when downloading apps by reading install prompts closely, looking out for information regarding rights and privileges that the app may request.

Other risk-mitigating measures advised by ngCERT is for users to be cautious of procuring any software from outside a certified app store.

Advisedly, it is safer to call the company directly rather than using the phone number on the message received, especially if the message is spoofing a company. Finally, telecom consumers and other Internet users should report any incident of system compromise to ngCERT via incident@cert.gov.ng for necessary support and technical assistance.

The Commission expresses its commitment to continuously inform and educate mobile telephony subscribers and Internet users in Nigeria, on cyber risks, however they may manifest. This is to insulate them from the dangers and losses arising from cybercrimes of any kind.

The new ransomware uncovered by security experts has been categorised, by the Nigerian Computer Emergency Response Team’s (ngCERT) advisory released over the weekend, as high-risk and critical.

According to the ngCERT advisory contained in a statement issued on Saturday, January 15, 2022, Dr. Ikechukwu Adinde, director, Public Affairs at NCC, the criminal group is said to have been mailing out (BadUSB) USB thumb drives to many organisations in the hope that recipients will plug them into their PCs and install the ransomware on their networks.

While businesses are being targeted, criminals could soon begin sending infected USB drives to individuals.

Describing how the cybercrime group runs the ransomeware, the ngCERT advisory says the USB drives contain so-called ‘BadUSB’ attacks.

The BadUSB exploits the USB standards versatility and allows an attacker to reprogram a USB drive to emulate a keyboard to create keystrokes and commands on a computer. It then installs malware prior to the operating system booting, or spoofs a network card to redirect traffic.

Numerous attack tools are also installed in the process that allows for exploitation of personal computers (PCs), lateral movement across a network, and installation of additional malware. The tools were used to deploy multiple ransomware strains, including BlackBatter and REvil.

According to ngCERT, the attack has been seen in the US where the USB drives were sent in the mail through the Postal Service and Parcel Service.

One type contained a message impersonating the US Department of Health and Human Services and claimed to be a COVID-19 warning. Other malicious USBs were sent in the post with a gift card claiming to be from Amazon.

However, ngCERT has offered recommendations that will enable corporate and individual networks to mitigate the impact of this new cyber-attack and be protected from the ransomware.

These recommendations include a call on individuals and organisations not to insert USB drives from unknown sources, even if they’re addressed to you or your organization.

In addition, if the USB drive comes from a company or a person one is not familiar with and trusts, it is recommended that one contacts the source to confirm they actually sent the USB drive.

Finally, ngCERT has advised Information and Communication Technology as well as other Internet users to report any incident of system compromises to ngCERT via incident@cert.gov.ng, for technical assistance.