Even in the current unprecedented situation we are all in, cybercriminals don’t rest. On the contrary, many see the current chaos surrounding the pandemic as an opportunity to earn money or expand their cybercriminal operations. Taking advantage of people’s emotions and confusion, they aim to deceive their victims into unknowingly installing malicious apps on their devices typically posing as Covid-19 tracking apps, or apps providing information and guidance.

Fighting Covid-19 scam apps

Threat intelligence platform Apklab.io launched an initiative to encourage researchers to contribute and examine Covid-19 related apps. In just over a month, the public feed now contains over 2,000 apps related to the Covid-19 pandemic, of which at least 250 are considered malicious. The sheer number of apps collected reflects the interest of the public to know more, and the opportunity for scammers to effectively target their audience.

The inner workings of scams taking advantage of Covid-19

Covid-19 scams use some widely known methods for spreading. Most commonly, they spread through your social networks or target you in the form of text messages that include a link. Often, these scams will look pretty official. Their message may promise important information, offer the ability to track you and infected people around you, or sometimes even promise supplies of protective products. 

Further reading:
Financial scams with a Covid-19 twist
Spearphishing scams disguise malicious files as Covid-19 data

Fake apps offering an on-screen measurement of temperature, as well as repackaged known Covid-related spyware samples, or even injected legitimate apps have already been spotted in the wild that can lure the potential victim into installing the app and granting the necessary rights. The tracking apps are particularly nasty in this regard, as users expect to be prompted for potentially dangerous permissions (including location, ensure running permanently, and so on) by the application. As its main purpose is to collect information and data (like geolocation, for instance), a clever criminal has only to use his social engineering skills to tailor the messages appropriately to gain all the access he desires.

In the following screenshots, you will find examples of how innocent the fake landing pages may look:

Sometimes a trained eye will spot the scam instantly, as the domain names can be either randomly generated nonsense or mentioning something completely irrelevant. In other cases, the differentiation may not be as simple. For instance, the fake California Department of Public Health site looks exactly like the original — even with a hosted domain that looks reliable (cdph-ca.us vs cdph.ca.gov). But there’s a catch. If you click on any of the links on this site, it will download a banking trojan APK to your device before redirecting you to the official website. 

Many researchers in the security community are actively following and reporting the happenings of the latest scams, and Twitter is a great source for up-to-date findings about the newest scams. 

Some examples are:

• ESET’s Lukas Stefanko tracking Covid-19 related apps: https://lukasstefanko.com/2020/03/android-coronavirus-malware.html
  
• MalwareHunterTeam with their continual feed of new malicious apps discovered in the wild: https://twitter.com/malwrhunterteam

Banking malware and spyware riding on the Covid-19 wave

Operators of Android banking trojans have taken quite a liking to the current situation, and we have noticed many campaigns of the popular Anubis and Cerberus banker families being distributed through fake sites connected with Covid-19.

Bankers are a category of malware specifically designed to cause direct financial harm to users by tricking them to divulge their banking credentials and to steal two-factor authentication tokens from the victim’s device.

Spyware is another category of malware heavily taking part in the Covid-19 pandemic. As we’ve written earlier, some of the permissions usually associated with spyware and causing raised eyebrows can, by sufficiently eloquent criminals, be turned into a plausible explanation to the user for monitoring “their well-being and safety”, while in reality, providing exactly the opposite.

Usually, just by looking at the target apps, a trained eye can tell if the app is trustworthy or not. In these cases, the name of the app and it’s package name already give some clue about some mischief going on:

Other app icons related to Covid-19 scams:

Final thoughts

To avoid Covid-19 scams:

• Always trust your instincts. If something doesn’t feel completely right, best to avoid it. Look out for:
• Spelling errors on the websites, and in apps
• Irrelevant domain names used
• App name not fitting the expected purpose, etc.
• Mismatching app name and package name
• Follow official national guidelines from trusted sources like local public health institutions, TVs, or major news outlets.
  
  
• Use a reputable mobile security solution.
  
  
• Stick to official app marketplaces as a source of apps.