Although these apps often appear to be innocent, malicious Covid-related Android apps are a risk for users
Even in the current unprecedented situation we are all in, cybercriminals don’t rest. On the contrary, many see the current chaos surrounding the pandemic as an opportunity to earn money or expand their cybercriminal operations. Taking advantage of people’s emotions and confusion, they aim to deceive their victims into unknowingly installing malicious apps on their devices typically posing as Covid-19 tracking apps, or apps providing information and guidance.
Threat intelligence platform Apklab.io launched an initiative to encourage researchers to contribute and examine Covid-19 related apps. In just over a month, the public feed now contains over 2,000 apps related to the Covid-19 pandemic, of which at least 250 are considered malicious. The sheer number of apps collected reflects the interest of the public to know more, and the opportunity for scammers to effectively target their audience.
Covid-19 scams use some widely known methods for spreading. Most commonly, they spread through your social networks or target you in the form of text messages that include a link. Often, these scams will look pretty official. Their message may promise important information, offer the ability to track you and infected people around you, or sometimes even promise supplies of protective products.
Fake apps offering an on-screen measurement of temperature, as well as repackaged known Covid-related spyware samples, or even injected legitimate apps have already been spotted in the wild that can lure the potential victim into installing the app and granting the necessary rights. The tracking apps are particularly nasty in this regard, as users expect to be prompted for potentially dangerous permissions (including location, ensure running permanently, and so on) by the application. As its main purpose is to collect information and data (like geolocation, for instance), a clever criminal has only to use his social engineering skills to tailor the messages appropriately to gain all the access he desires.
In the following screenshots, you will find examples of how innocent the fake landing pages may look:
Sometimes a trained eye will spot the scam instantly, as the domain names can be either randomly generated nonsense or mentioning something completely irrelevant. In other cases, the differentiation may not be as simple. For instance, the fake California Department of Public Health site looks exactly like the original — even with a hosted domain that looks reliable (cdph-ca.us vs cdph.ca.gov). But there’s a catch. If you click on any of the links on this site, it will download a banking trojan APK to your device before redirecting you to the official website.
Many researchers in the security community are actively following and reporting the happenings of the latest scams, and Twitter is a great source for up-to-date findings about the newest scams.
Some examples are:
Operators of Android banking trojans have taken quite a liking to the current situation, and we have noticed many campaigns of the popular Anubis and Cerberus banker families being distributed through fake sites connected with Covid-19.
Bankers are a category of malware specifically designed to cause direct financial harm to users by tricking them to divulge their banking credentials and to steal two-factor authentication tokens from the victim’s device.
Spyware is another category of malware heavily taking part in the Covid-19 pandemic. As we’ve written earlier, some of the permissions usually associated with spyware and causing raised eyebrows can, by sufficiently eloquent criminals, be turned into a plausible explanation to the user for monitoring “their well-being and safety”, while in reality, providing exactly the opposite.
Usually, just by looking at the target apps, a trained eye can tell if the app is trustworthy or not. In these cases, the name of the app and it’s package name already give some clue about some mischief going on:
Other app icons related to Covid-19 scams:
To avoid Covid-19 scams:
Avast Threat Intelligence has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.