Malicious Apps Pose as Contact Tracing to Infect Android Devices

Threat actors are using fake COVID-19 contact tracing apps to infiltrate Android devices in countries around Asia, Europe and South America.

According to research from Anomali, 12 fake apps have been detected as targeting citizens in Armenia, India, Brazil, Chhattisgarh, Columbia, Indonesia, Iran, Italy, Kyrgyzstan, Russia and Singapore.

Once installed, the apps are designed to download and install malware to monitor infected devices, steal banking credentials and personal data.

In particular, the Anubis and SpyNote malware have been detected as being downloaded by these apps. Anubis is an Android banking Trojan that utilizes overlays to access infected devices and then steal user credentials, while SpyNote is an Android Trojan used for gathering and monitoring data on infected devices.

The fake app detected as imitating the Brazilian government’s official COVID-19 tracing app imitates the legitimate application by asking for the accessibility service privilege on the user’s app settings, and once the user enables the permissions, the app will run in the background and hide the icon from the application drawer.

“We believe the threat actors are distributing the malicious apps via other apps, third-party stores, and websites, among other channels,” Anomali said.

“Threat actors continue to imitate official apps to take advantage of the brand recognition and perceived trust of those released by government agencies. The global impact of the COVID-19 pandemic makes the virus a recognizable and potentially fear-inducing name, of which actors will continue to abuse.”

Previous research by Lookout found a larger mobile surveillance campaign operating out of Libya and targeting Libyan individuals. Upon first launch, that app informed the user it did not require special access privileges, “but subsequently proceeds to request access to photos, media, files, device location, as well as permission to take pictures and record video.”

Tom Davison, technical director – international at Lookout, said: “One single app-based malware campaign may in fact be spread through 10s or even 100s of infected apps. Frequently these will impersonate well-known apps, or latch onto topics of interest for their intended targets.

“As more countries adopt government-sponsored or privately developed contact tracing apps, it is not unexpected that further malicious app samples will emerge. None of the samples observed by Lookout were ever on the Google Play Store and the advice to users is to always download mobile apps from official stores.”

Paul Balkwell, vice-president EMEA at AppRiver, a Zix company, told Infosecurity that it has already seen how vulnerable people are to these kind of attacks that impersonate legit COVID-19 contact tracing government apps. “With contact tracing considered a fundamental vehicle to reopening world economies, we will unfortunately see an increase in these malicious apps and other opportunistic scams,” he said. “The threat environment is evolving to match the current situation.”

Asked if he expected there to be more fake/malicious apps pretending to be contact tracing apps, Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), said given that contact tracing implementations are trending towards using Bluetooth and discussion includes knowing contacts and communicating where the contact occurred, “it’s reasonable for consumers to expect any contact tracing app to request extra permissions like access to device contacts and location.”

However, as consumers have no way to vet the true technical requirements for any contact tracing app, Mackey said if the app also requests access to camera, phone or files, that might seem reasonable enough. “This then represents a perfect cover for cyber-criminals who could request excess privileges and safely mount their attacks while legitimate contact tracing protocols and apps are being developed,” he added.

Javvad Malik, security awareness advocate at KnowBe4, said criminals will latch onto any current event and news story to try and get malware onto devices, and the COVID-19 pandemic has provided ample opportunities for them to do so and the contact tracing apps are no exception.

“It is likely that as more people become aware of contact tracing apps we will see a sharp rise in the number of fake malicious apps,” he said. “Not only that, but we'll probably see alternate apps crop up which will claim to block contact tracing apps or make users invisible to authorities. The advice, as always, is for users to remain vigilant about apps. They should only trust official sources and not download apps which are sent to them via SMS, email or social media.”

What’s Hot on Infosecurity Magazine?