Fake Coronavirus apps hit Android & iOS users with spyware, adware

Cybercriminals are trying every trick up their sleeve to benefit from the Coronavirus pandemic and the subsequent chaos that it has generated. The latest trap that they have laid to trick users is by releasing malicious spying apps disguised as COVID-19 updates and information applications.

Trend Micro’s cybersecurity researchers discovered an ongoing cyberespionage campaign at the end of March, 2020, which they named Project Spy. According to their assessment, through Project Spy, the attackers are infecting Android and iOS devices with spyware distributed through apps titled Coronavirus Updates, Wabi Music, Concipit 1248 and Concipit Shop.

These apps can perform a variety of functions including transferring data from Telegram, WhatsApp, Threema, and Facebook messages.




Furthermore, it collects voice notes, call logs and contacts information, sensitive device information (such as device ID, IMEI number, manufacturer, hardware, model, bootloader, tag, host, application and OS version), images, SIM information including MCC-mobile country, IMCI operator code, SIM serial, and even mobile number.

Moreover, it uploads information about the WiFi network including MAC address, SSID, and WiFi speed, and other data from the mobile such as fingerprint, date, time, display, and updated at and created at information.

Fake Android app (left) – Two fake apps targeting iOS (right) – Image credit: Trend Micro

The app is currently targeting Android and iOS users in India, Pakistan, Bangladesh, Afghanistan, Iran, Russian, Saudi Arabia, Romania, and Grenada. The campaign is dubbed Project Spy because of its backend server’s login page. It steals the messages from applications by exploiting the notification permission to access the notification content and storing it to the attacker’s database.

To access additional storage, it asks for user permission. The coding style of this app is quite amateurish, perhaps this is why the number of downloads is relatively low. Researchers claim that the app seems to be in its incubation phase.

Users are cautioned to research and check reviews before they download apps. Observe and look at the app’s display and text, stated functions, reviews from other users, and requested permissions before downloading. Make sure that all other apps installed and the device operating systems are updated to the latest version, researchers advised in their blog post.

On the other hand, the IT security researchers at Pradeo Lab also discovered a misleading Wallpaper app that was released in February and so far several versions of the same app have been released. This app claims to offer information for protection against the Coronavirus and also features three informative topics about the pandemic.

However, there is another tab at the bottom of the page titled Themes, which is the real game-changer for the app developer. The themes section is there to promote free and paid wallpaper theme. The information is copied from many reputable news services such as John Hopkins University, Yahoo News, and the World Health Organization (WHO).




Soon after downloading the app, the user starts receiving notifications about new wallpaper themes and the primary objective remains the same in all of its versions while every new version has minor tweaks to further mislead the users.

Malicious app targeting Android users (Image via Pradeo)

Hence, it is understood that the app merely is an attempt to drive downloads and of the app and generate direct profit via promoting apps and paid themes. Another objective is to improve the app’s ranking in the store.

Remember, this is no the first time when hackers have used Coronavirus to spread malware infection or scam unsuspecting users. Currently, fake Coronavirus vaccines are also being sold on the dark web but it does not end here. In fact, fake live maps of the virus’s spread are also being set up to spread malware across the globe.

You may also like...