Jump to content

A fake coronavirus tracking app is actually ransomware


Recommended Posts

A fake coronavirus tracking app is actually ransomware

covidlock ransomware

A fake coronavirus tracking app is actually ransomware that threatens to leak social media accounts and delete a phone's storage unless a victim pays $100 in bitcoin

  • The concerns surrounding the coronavirus outbreak are being exploited by hackers taking advantage of people's thirst for information.


  • An Android app called "COVID19 Tracker" is just one example of ransomware that masks itself as a real-time coronavirus map tracker, according to researchers.


  • If a user grants the app access to certain phone settings, the ransomware is enabled and locks the user ouf of their phone unless they pay $100 in bitcoin to the hackers within 48 hours. 


  • If the victim doesn't comply, the ransomware threatens to delete their phone's storage and leak social media accounts.


  • The website that hosts the ransomware app appears to have been taken down. The app isn't found on the Google Play Store, where the risk of downloading malware is significantly lower. 


Unsurprisingly, people are turning to the internet to get up-to-the-minute information on the coronavirus outbreak, but the thirst for information during a pandemic is a perfect opportunity for hackers. It's also a good time to remind everyone that hackers are still hard at work, even during concerning times. 


An app called "COVID19 Tracker" masking itself as a coronavirus outbreak map tracker is actually ransomware that locks down your phone and demands you pay the hackers $100 in bitcoin within 48 hours, according to Chad Anderson and Tarik Saleh at internet security company DomainTools.


Saleh's report from Friday shows that the app is designed for the Android operating system, and was listed to Android users searching the web for coronavirus tracking apps. To download the app, a user would have to go directly to the website where the app was hosted and download the app from there. The app was not available on the Google Play Store, according to Saleh.


The website appears to have been taken down as of Monday afternoon, but it was still running on Monday morning. The site prompts visitors to download an app, saying, "for android users: to get real-time number of coronavirus cases based on your GPS location please download the mobile app version of the website and enable 'accurate reporting' for best experience." Business Insider isn't linking or posting the name of the site.


Once opened, the app asks for access to your lock screen to give you "instant alerts when a coronavirus patient is near you." The app also asks for permission of an Android phone's accessibility settings for "active state monitoring."


covid_19_tracker ransomware


If an unsuspecting user grants these permissions to the app, ransomware dubbed "CovidLock" is enabled, and the screen changes to a ransom note, shown below:


covidlock ransomware


The note says:


"Your phone is encrypted: You have 48 hours to pay 100$ [sic] in bitcoin or everything will be erased.

1. What will be deleted? your contacts, your pictures and videos, all social media accounts will be leaked publicly and the phone memory will be completely erased

2. How to save it? you need a decryption code that will disarm the app and unlock your data back as it was before

3. How to get the decryption code? you need to send 100$ [sic] in bitcoin to the adress [sic] below, click the button below to see the code

Note: Your GPS is watched and your location is known, if you try anything stupid your phone will be automatically erased"


At the end of the note is a text field where a victim is meant to enter the decryption code, and a button beneath the text field that says "Decrypt."


Saleh notes that protections against this kind of attack in the Android operating system have been in place since Android 7 "Nougat" released in 2016, just as long as the user has set a password to unlock the phone. Without an unlocking password, users are still vulnerable to attacks like the CovidLock ransomware.


Saleh said that the DomainTools security research team had reverse engineered the decryption key, and has released it publicly here so that victims could unlock their devices without paying the ransom.


When asked whether the hackers could simply generate a new decryption key, DomainTools told Business Insider that the hackers would need to rewrite the malware and redeploy it, and a new key wouldn't affect anyone who has already downloaded the infected app. "That is one of the big flaws of CovidLock," DomainTools said.


The company is also monitoring the hackers' bitcoin wallet and its activity, and DomainTools told Business Insider that no one has paid the ransom to the hackers as of yet, but the company is unsure of how many people have downloaded the app. 


DomainTools advises that people obtain information regarding COVID-19 from trusted sources like government and research institutions. It also suggests that people don't open emails or click links with health-related content, as miscreants are "trying to capitalize on fear." And finally, it advises Android users to download apps exlusively from the Google Play Store, where there is less risk of downloading malware. 


This isn't the first instance of malware apps masking themselves as coronavirus-related tracking apps. Last week, cybersecurity researchers identified several fake COVID-19 tracker maps that infect people's computers with malware when opened.





Link to comment
Share on other sites

  • Replies 2
  • Views 826
  • Created
  • Last Reply


Android malware uses coronavirus for sextortion and ransomware combo



Late last week, researchers at network intelligence company DomainTools warned about an Android malware sample that caught our attention.


We downloaded a copy of the malware for ourselves and took a look at what the crooks were up to – here’s what we found.


Like many other cyberthreats doing the rounds these days, the criminals have used the coronavirus pandemic as a lure, offering an intriguing if rather creepy app called COVID 19 TRACKER.



Catchy icon of the malware app


The website promoting the app offers to “Track Real-Time Coronavirus Outbreak in your Street, City and State”, and says it will “Get Real-Time Statistics about Coronavirus outbreaks around you in over 100 countries.”



Main malware landing page when browsing from Android


To be precise, if you’re keeping your eye out for giveaway mistakes, it actually says outbreak aroud you, an error both of grammar and spelling that you can see below.


Sure, mainstream websites make spelling mistakes, too, but every clue helps, so keep your eyes open for errors that might be a telltale sign of crooks in a hurry.


As we’ve seen before in coronavirus-themed cybercrime, the criminals have added the logos of various legitimate and useful sources of information:



Left: Main malware landing page when browsing from Android
Right: Download button with fraudulent “certification” claims


This time, they’re claiming their app is “certified by” the US Department of Education, the World Health Organization (WHO), and the US Centers for Disease Control and Prevention (CDC).


(No, that’s not a typo above: the CDC runs its operations and research from numerous major locations, so its name is a plural.)


If you’re wondering why the feature to track coronavirus infections in more than 100 countries has what looks like a winner’s gold cup above it with the number “1” on it, it’s because the crooks have plundered various legitimate apps and brands to leech logos, layout ideas, icons and more to use in their code.


The marketing material that the crooks have crudely ripped off comes from the pages of an unrelated Google Play app that really does have a 4.4-star rating:



Left: ripped-off web site content repurposed by malware authors
Right: original marketing from unrelated Google Play app


What about the the app?

As you can see from the screenshot above, the “tracker app” doesn’t come from Google Play, because it wouldn’t get in.


Instead, you have to go off-market by downloading it directly from the crooks’ website by clicking their own [DOWNLOAD APK] button.


When you run the app for the first time, it asks for various permissions that might make you suspicious, but that don’t seem too outrageous, given that it’s supposed to keep you alerted about coronavirus cases as you move around.


In particular, the app wants to run in the background, to have lockscreen access, and to use Android’s accessibility features, as you see here:



Left: background permission is requested immediately
Right: clicking the [SCAN] button on the app screen demands you to grant more permissions first


Although the malware claims to need lockscreen access to give you an “instant alert when a coronavirus patient is near you”, that’s bogus for two reasons.


Firstly, even if the app is using the latest coronavirus stats, downloaded in real time, it has no way of determining the infectious status of any individual passing by, so it is false (and, indeed, creepy) to claim this as a “feature” at all.


Secondly, you don’t need “lockscreen access” to send notifcations to the lockscreen – that’s controlled by the user, who can choose from their phone’s settings what sort of notifications to show when the phone is locked.


In fact, the malware wants what’s called device admin rights, as you can see in the screenshot below.


This is a feature that Google describes in its own documenation as allowing “device administration features at the system level, [to] allow you to create security-aware apps that are useful in enterprise settings.”


Similarly, if this app were genuine, it wouldn’t need Accessiblity permissions, as it claims.


Those features are intended for use by software such as screen readers (which obviously need to access the screen content of other apps), and they’re tolerated on Google Play for security apps that can justify looking out for data such as web links in order to look for malicious sites.


The app claims that it needs Accessibility permissions by mentioning “active stats monitoring”, but a legitimate program would get its data by downloading and processing it itself, not by “sneaking a peek” and stealing it from other apps.



Left: malware demands device admin powers, though they aren’t needed for lockscreen notifications
Right: malware uses Accessibility functions to track your app usage


What happens next?

The real reasons why this malware wants to run in the background, monitor the other apps you are running, and intervene as a device administrator…


…are probably rather obvious, given the headline of this article.


Amongst other things, it tracks which app you have in the foreground and takes over control as soon as you try to use your phone for most of its normal features, including making calls, getting and sending messages, and accessing the Settings page.


And the Settings page is probably exactly where you will want to go as soon as a the malware kicks in, which is does within about a second of launching most apps:



The malware locks you out of most apps by quickly covering them entirely with a blackmail demand
The demand mixes sextortion with ransomware


As you can see, this one is a combination of sextortion and ransomware – you’re locked out of your device because of the persistent pop-over screen, but with a threat to leak personal videos and photos to your family as an added incentive to pay up.


Once you’re infected, you can’t access Settings (where you can, in fact, kill off and uninstall the malware), in an attack reminiscent of Reveton, one of the earliest mobile phone “screen locker” ransomware variants that was widespread back in 2012.


Ironically, the malware is careful not to block your browser, even though you could use it to go online and look for advice on how to clean up.


That’s because the malware itself relies on the browser to load its own “here is how it works” page, hosted on the free data-sharing site Pastebin:



Instructions for how much to pay and whom to contact


How to clean up

Fortunately, at least in our experiments with this sample, the malware was fairly easy to remove by hand.


Our files were left intact, with the malware relying on its rapid pop-over screen as its way of keeping you locked out of your device, and as far as we can tell, the threat to reveal your personal data to friends and family if you don’t pay is entirely empty.


In other words, if you can remove the app so it no longer interferes with your phone usage, then you’re essentially home free.


A quick fix is offered by the fact that the crooks were lazy, and hardcoded the unlock code into their app:



Hardcoded unlock PIN in the malware


When we typed in the 10-digit code 4865083501 where you see enter decryption code in the blackmail page shown above, the malware stopped blocking our access to other apps.


Note, however, that the unlock code doesn’t actually stop the malware and uninstall it!


(The crooks handily left logging code in their app, so we could use the Android development tool adb logcat to watch the app continuing to abuse its Accessibility permissions to track apps as we used them, even after we’d entered the unlock code.)


But after entering the unlock code, we were able to access the Settings page, remove the malware’s device admin rights and uninstall it.


We used Settings > Apps and notifications > See all N apps to reach the App info page, where we located the Coronavirus Tracker app:



Left: the top-level App info page
Right: the malware shows up as “Coronavirus Tracker”


We tapped on the malware entry to open up its own App info page, where we used the system’s Uninstall button to get to the Deactivate & uninstall option, by which the system will demote the app from its device admin role (which prevents regular uninstallation) and then remove it:



Left: the [Uninstall] button on the system App info page
Right: uninstalling from here lets you remove device admin and the app in on


We also tried rebooting our phone in Safe Mode, where most background apps don’t run, to see if we could remove the malware without relying on the unlock code – even though we know the right code for this sample, it might be different in other variants of the malware.


Also, there is something unappealing about trying to remove the malware while it’s still active and keeping track of what you’re up to on the device.


On our phone, Safe Mode is activated by holding the power button until the reboot menu appears, then holding down the power off icon for a second or two until the Safe Mode menu appears.


After a reboot, the text Safe mode appeared at bottom left of the screen; the malware didn’t launch; and we could use the same procedure as we did above to locate, deactivate and uninstall the malware.


What to do?

Not all mobile malware is this easy to get rid of, and most ransomware these days no longer just locks your device but also scrambles your files so that they need decrypting, too.


And many crooks have learned not to take shortcuts with their passwords, so it’s unusual to find an unlock key right there in the malware code.


So, your best bet is not to let your Android get infected in the first place.


  • Stick to Google Play. It’s not perfect, but it would almost certainly never have admitted this app, not only because of its coronavirus theme, but also because of its blatant abuse of permissions.


  • Use a third-party anti-virus in addition to the standard built-in protection. Sophos Intercept X for Mobile is free, and it will not only block malware from running in the first place, wherever you download it from, but also keep you away from risky websites to start with.


  • Never believe an app’s own propaganda. In this case, the crooks simply stole a marketing history from an existing app and claimed it as their own, complete with a positive review rating. On-site reviews are largely meaningless – they could have come from anywhere, and probably did. If you need advice, ask someone you actually know and trust.


  • Don’t grant permissions to an app unless it genuinely needs them. Decently-behaved apps generally still work, albeit with limited features, even if you withold some permissions, so this malware’s trick of demanding unreasonable permissions before it runs at all should be considered suspicious.


Oh, in case it makes you feel better, the total amount that the crooks have received into the Bitcoin address shown in the Pastebin page above…

…is zero.




Link to comment
Share on other sites

Similar topic from Mobile News merged.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...