S1069: TangleBot
TangleBot is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. TangleBot has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to FluBot Android malware campaigns.[1]
Analyst context for executives and security teams
TangleBot matters because it represents mobile malware delivered through SMS lures, with ATT&CK documenting Android-focused behavior that can reach into communications, location, screen, audio, video, contacts, call logs, SMS messages, and local data. For leaders, the practical issue is not only malware removal; it is whether the organization can see and govern risky mobile app installation and permissions on devices that may access corporate identity, messaging, or regulated data.
Executive priority
Prioritize this as a mobile security, privacy, and incident-readiness issue. The supplied ATT&CK data ties TangleBot to SMS-based social engineering and Android behaviors that can expose sensitive communications and personal data. Executives should ask whether managed and BYOD mobile devices have enforceable app-source controls, permission visibility, SMS-phishing reporting paths, and evidence suitable for incident response or compliance reviews involving PII, communications records, or location data.
Technical view
SOC, IR, and mobile security teams should validate coverage around Android devices and the related ATT&CK behaviors: GUI input capture, software discovery, audio/location/video/screen capture, local data access, SMS control, call control, call log access, contact list access, and SMS message access. Because ATT&CK provides no official detection text for this object and no tactics are specified, detection engineering should be relationship-driven: look for suspicious combinations of mobile app install events, risky permissions, default SMS handler changes, SMS send/receive behavior, phone-call control permissions, contact/SMS/call-log access, media capture permissions, location access, and screen-capture consent or MediaProjection use where telemetry is available.
Likely telemetry
- MDM/MAM or mobile threat defense records for Android app inventory, install source, sideloading, and newly installed APKs
- Android permission requests and grants for SMS, phone, contacts, microphone, camera, location, storage, and screen capture capabilities
- Changes to default SMS handler status and SMS send/receive activity where enterprise telemetry supports it
- Call control, call log, contact list, and SMS content provider access indicators where available
- User reports or help desk tickets referencing suspicious SMS lures, especially messages prompting app installation
Detection direction
- Confirm whether mobile telemetry can correlate SMS lure reports with subsequent Android app installation and high-risk permission grants.
- Tune for suspicious permission bundles rather than single permissions alone; legitimate communication, navigation, banking, accessibility, and productivity apps may request some of the same access.
- Validate monitoring for default SMS handler changes, SMS sending, call-control permissions, and access to contacts, call logs, and SMS messages on managed Android devices.
- Review whether screen, audio, video, and location access is visible to defenders and whether consent prompts or permission changes are logged.
- Use app reputation, install source, device ownership model, timing, and user context to reduce false positives.
Mitigation priorities
- Enforce managed-device controls for app installation sources, sideloading restrictions, and app vetting where business policy allows.
- Apply mobile permission governance: limit or review apps requesting SMS, phone, contacts, microphone, camera, location, storage, and screen-capture-related access.
- Provide clear SMS-phishing reporting and user guidance for messages that pressure users to install applications.
- Integrate mobile alerts and device inventory into SOC and incident response workflows so mobile events are not isolated from identity and endpoint investigations.
- For suspected compromise, preserve available device evidence, remove the untrusted app, review exposed accounts or data, and consider credential or token reset decisions based on local evidence.
Analyst notes and limits
The strongest defensive value comes from treating TangleBot as a mobile permission-abuse and SMS-delivery case. ATT&CK relationships show a broad set of collection and device-control behaviors, so coverage should be assessed across mobile app governance, SMS handling, identity exposure, and privacy-sensitive telemetry rather than only malware signature detection.
The supplied ATT&CK object has no official detection guidance, no specified tactics, no aliases, and only Android listed as the platform for TangleBot. The description cites initial observation in September 2021 and targeting of mobile users in the United States and Canada, but this summary does not infer current activity or organizational exposure. Local MDM, mobile threat defense, carrier, privacy, and device-ownership constraints will determine what can actually be detected or investigated.
TangleBot
TangleBot is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. TangleBot has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to FluBot Android malware campaigns.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1418 | Software Discovery | TangleBot can obtain a list of installed applications.Citationcloudmark_tanglebot_0921 |
| Mobile | T1430 | Location Tracking | TangleBot can request location permissions.Citationcloudmark_tanglebot_0921 |
| Mobile | T1512 | Video Capture | TangleBot can record video from the device camera.Citationcloudmark_tanglebot_0921 |
| Mobile | T1636.003 | Contact List Sub-technique | TangleBot can request permission to view device contacts.Citationcloudmark_tanglebot_0921 |
| Mobile | T1533 | Data from Local System | TangleBot can request permission to view files and media.Citationcloudmark_tanglebot_0921 |
| Mobile | T1616 | Call Control | TangleBot can make and block phone calls.Citationcloudmark_tanglebot_0921 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | TangleBot can use overlays to cover legitimate applications or screens.Citationcloudmark_tanglebot_0921 |
| Mobile | T1429 | Audio Capture | TangleBot can record audio using the device microphone.Citationcloudmark_tanglebot_0921 |
| Mobile | T1636.004 | SMS Messages Sub-technique | TangleBot can read incoming text messages.Citationcloudmark_tanglebot_0921 |
| Mobile | T1513 | Screen Capture | TangleBot can record the screen and stream the data off the device.Citationcloudmark_tanglebot_0921 |
| Mobile | T1582 | SMS Control | TangleBot can send text messages.Citationcloudmark_tanglebot_0921 |
| Mobile | T1636.002 | Call Log Sub-technique | TangleBot can request permission to view call logs.Citationcloudmark_tanglebot_0921 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 70cc51e13d22… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
cloudmark_tanglebot_0921
Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.
Open source URL -
[2]
mitre-attack S1069Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.