Apklab.io helps to uncover Iranian Coronavirus app collecting sensitive information
Over the weekend, Iranian researcher, Nariman Gharib, reported via Twitter that he had identified a coronavirus app collecting sensitive information from users, including their real-time geo-location details, beyond what the app required to function. He used apklab.io, our mobile threat intelligence platform, to identify the origins of the app, as well as analyze the information the app was collecting and sending back to the developer’s servers. According to Gharib, the app was released by the Iranian Ministry of Health via SMS to Iranian users, and encouraged users to install the app, and do a test in order to determine if they had symptoms of coronavirus. Google has already taken action and removed the app from its Play Store, because it violates their terms and conditions.
On March 10th, Gharib tweeted that an employee with Iran’s Health Ministry claimed the app wasn’t authorized by his ministry, but that the Ministry of ICT developed it. Gharib also states that Iran’s Health Ministry published a clarification on the same day, stating in the same tweet that “no-one is allowed to obtain users’ personal information”.
However, I analyzed the app and can confirm Gharib’s findings: that the app collects information beyond what it needs to function. The app first requires users to register using their telephone number. The app requests permission to access the user’s exact location, which makes sense as a user’s location can be used to recommend a hospital closest to the user, in case the user is infected with the virus. However, the app also requests permission to access ACTIVITY_RECOGNITION, which can be used to reveal if the device user is sitting, walking, or running, a permission typically used by fitness applications to track sports activities.
Clues found in the code reveal that the app was developed by the same group that developed messaging apps Talagram and Hotgram, which both were banned by Google Play Store last year. Both Talagram and Hotgram reportedly were developed for the Iranian government, who promoted the use of the messenger apps as an alternative to the Telegram messenger app, known for its strong encryption and which was banned by the Iranian government.
In addition to the user’s precise locations, the app also sends information entered by the user including their mobile number, gender, name, height, and weight, back to the developer’s server.
Avast Threat Intelligence has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.