Threat Research

Fake Covid-19 tracking applications spotted

Threat Intelligence Team, 4 August 2020

Avast researchers encountered banker variants that misuse Android accessibility services and steal sensitive data

With the sudden spread of Covid-19, the need for some tool that would help trace contact between people quickly arose. The purpose of tracking applications is to use smartphones as a tool to track interactions between people in order to provide information to users if they have come in contact, or have been in close proximity, to a person confirmed positive of infection with the virus. 

Tracking applications are now often encouraged or even mandatory to use in many countries, and therefore have a high number of users. With that, many malicious applications resembling official versions of these tracking applications have begun to appear. Mostly, with the intention to steal sensitive information from users. 


Further reading:
Contact tracing apps face their day of reckoning
What you need to know about government contact tracing apps


Some of the most popular threats these users can encounter are being infected by bankers or spyware applications. 

A banker is a type of malware application that usually misuses Android’s accessibility service to grant itself the capability to steal sensitive data more specifically, log-in credentials, passwords, and one-time authentication tokens. 

Similar or identical icons and names resembling the original application are often used to trick the user into thinking that the application is legitimate. 

These types of apps usually don't offer the advised Covid-19 related functionality to the user, and their purpose is only to collect the user's sensitive data. Most of them hide their presence on the device shortly after installation in hope that the user will eventually forget they ever installed them. 

We’ve encountered several variants of such bankers for some of the official tracking applications, specifically British Covid Symptom Tracker, Indian Aarogya Setu, and Russian app.

Examples of bankers found

Name

Package name

sha256

Coronavírus - SUS

wocwvy.czyxoxmbauu.slsa

D7FC4377B7A765D6BC3901D0DE01008095965D02062FDA3707957163AFE8884D


Corona Track

njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu

9FFDA0C1E8E9E9C63C5219941F3F72F04EF8027B2ED8443498100DF27E00B8B0

Corona

com.ygmdflerbfvl.tbistzkei

484F6862473B96487B7D2CB1079DF512403ED48AB25ADF6AA3738FB39ACC625B

Corona

com.xwrmnh.qoszdczhgyt

BB1146C08E39E704DC50C81BA12169D0EEDE42C38FE9EA5EEDAE74952C75433A

Covid19

hkflsxtoqzybtnk.bekcgmgokixinuo.jamqjxyajdubklkpatutw

1726cdd1bc9511216d1162b49000dd830ca863138f26fd27aa68c13e16ad7e73

Covid19

zpihicsrqznizsqcmw.xdfkqojzwozggpbyplbnheeify.ftfdjaeofqyainaghrdd

b8309cbbd739f0ae73ca7b1b6bd6e606e5799fa7f7cd16b70cc1aeb302b63dd2

COVID-19

anubis.bot.myapplication

090B5FB792B62225DF6CA55FAC2D96B630D596A61B7071009E0084056D04240A

Spyware is a type of malware that, without the user’s consent, tracks their activity on their phone. Given the focus of the original apps, and the expectations they set (i.e. contact tracing), these apps are already expected to be able to access some personal information from the start. It is therefore not surprising that spyware authors are cashing in on this fact, and covertly slip in a couple extra permissions to track even more of the users’ activities. 

In some cases, the spyware app masking as the legitimate app tricks the user upon installation into granting it all sensitive permissions. We’ve often seen that the original legitimate app is installed afterwards by the spyware app to actually give the user the required functionality they were after, leaving the spyware app to hide itself from sight (by hiding its launcher icon) and remain installed on the victim’s device. All the collected sensitive data, call logs, SMS logs, and anything the spyware operator is after, is then silently sent to the attacker’s servers in the background.

As in the case of bankers, a similar or identical name and icon resembling the original app is used to deceive the user and force them into the installation of this spyware application. 

 

Examples of spyware found

Name

Package name

sha256

Aarogya Setu

com.android.tester

885D07D1532DCCE08AE8E0751793EC30ED0152EEE3C1321E2D051B2F0E3FA3D7

Aarogya Setu - AddOn

yps.eton.application

F733DED73D4F498327480D232E415465C0F5654A69B431DA081F83998B49EAD2

Aarogya Setu Installer

nic.gov.aarogyasetuinstaller

D66C926AAB6B15CFEE786499645FDA64782C752CAE6DD3D4154FAB81F7FE8744

Corona

com.facebook

45F82AFBE6576A6DBF458490C1D4577EFCA5C61899B3E9ECA5BBFC6ADF56519E

Corona

com.facebook

7E5B04636C88C5C7FBCDF09D0578FBD487DDABC613B5648176D4495483D802EB

How can you identify these apps?

First, and probably the most important thing, is to make sure that the source you are downloading the application from is reliable. Make sure you are using the government or public health office’s official websites, websites of the official provider of the application, or official app stores Google Play or the App Store. 

Don't rely solely on the icon since this is usually the only part that bankers share with the official app. In the case of bankers, a very good indicator that the app is malicious is its package name, which is often composed of a random set of letters. For example: zpihicsrqznizsqcmw.xdfkqojzwozggpbyplbnheeify.ftfdjaeofqyainaghrdd.

The size of the app can also be an indicator that there is something suspicious, since most of the official apps have a size roughly between 10MB to 20MB, and the malicious app is usually much smaller (1-4MB). But that’s not always the case. 

If anything feels off, best to be cautious and double-check the available official materials or use some guidance from someone who may be more experienced.