Threat Research

Iranian Coronavirus app collecting sensitive information

Nikolaos Chrysaidos, 11 March 2020

Apklab.io helps to uncover Iranian Coronavirus app collecting sensitive information

Over the weekend, Iranian researcher, Nariman Gharib, reported via Twitter that he had identified a coronavirus app collecting sensitive information from users, including their real-time geo-location details, beyond what the app required to function. He used apklab.io, our mobile threat intelligence platform, to identify the origins of the app, as well as analyze the information the app was collecting and sending back to the developer’s servers. According to Gharib, the app was released by the Iranian Ministry of Health via SMS to Iranian users, and encouraged users to install the app, and do a test in order to determine if they had symptoms of coronavirus. Google has already taken action and removed the app from its Play Store, because it violates their terms and conditions. 

On March 10th, Gharib tweeted that an employee with Iran’s Health Ministry claimed the app wasn’t authorized by his ministry, but that the Ministry of ICT developed it. Gharib also states that Iran’s Health Ministry published a clarification on the same day, stating in the same tweet that “no-one is allowed to obtain users’ personal information”. 

However, I analyzed the app and can confirm Gharib’s findings: that the app collects information beyond what it needs to function. The app first requires users to register using their telephone number. The app requests permission to access the user’s exact location, which makes sense as a user’s location can be used to recommend a hospital closest to the user, in case the user is infected with the virus. However, the app also requests permission to access ACTIVITY_RECOGNITION, which can be used to reveal if the device user is sitting, walking, or running, a permission typically used by fitness applications to track sports activities. 

Clues found in the code reveal that the app was developed by the same group that developed messaging apps Talagram and Hotgram, which both were banned by Google Play Store last year. Both Talagram and Hotgram reportedly were developed for the Iranian government, who promoted the use of the messenger apps as an alternative to the Telegram messenger app, known for its strong encryption and which was banned by the Iranian government. 

In addition to the user’s precise locations, the app also sends information entered by the user including their mobile number, gender, name, height, and weight, back to the developer’s server. 

Precautions to take before downloading an app

  • Avoid downloading apps outside of official app stores. The Google Play Store and the Apple App store are safer options as they check and verify the apps they allow on their stores, making sure they adhere to certain guidelines and app policies to prevent malicious and intrusive apps from making their way onto their app markets.
     
  • Carefully check the permissions the app is requesting. You wouldn’t give away your phone number to just anyone, just like you wouldn’t share your exact location with a complete stranger. The same thinking should be applied when considering permissions you give an app you’re interested in installing. You should consider whether or not the app needs access to certain information to properly function. A photo editing app will need access to media files, such as photos, in order to do what you want it to do, but does an app that can help you determine if you have the coronavirus need to know if you are sitting, walking or running? 
  • Be aware of scams. Good, but also bad actors tend to take advantage of trends, whether they be cool trends or serious outbreaks like the coronavirus. It’s therefore especially important for users to be careful and take a close look at emails, text messages, and websites they come across offering advice or support around the coronavirus, to verify the offers can be trusted.