everythingpossible - stock.adobe
Although many legitimate mobile applications designed to help people track and monitor symptoms of the Covid-19 coronavirus are beginning to reach the market, analysis of Android telemetry from Google Play and other third-party marketplaces has revealed that both relatively harmless opportunist developers and malicious cyber criminals have climbed on board the bandwagon.
Bitdefender researchers unearthed huge spikes in application scans containing either ‘covid’ or ‘corona’, from early March 2020, and that the number of scanned applications from the medical category increased by more than 35%. It identified 579 applications that contained coronavirus-related keywords in their manifest.
According to Bitdefender, many of these apps – 560 of them – were entirely legitimate and provided information on how to avoid infection, news updates regarding the coronavirus, and even medical appointment booking services.
However, many of them had absolutely nothing to do with the coronavirus, and some of the more malicious examples contained aggressive adware, or were bundled with malware, it added.
Among some of the less malicious and more opportunistic examples found were mobile games, such as Bubble Shooter Merge and Galaxy Shooter – Falcon Squad. The developers of both of these applications updated their app names within Google Play to include coronavirus-related keywords to improve their SEO and make their products more visible.
Meanwhile, the developer of ‘4K Wallpaper – only quality wallpapers!’ changed the name of their app to ‘Coronavirus (2019-nCov) – Protect yourself!’ although this developer did at least make an effort to update their app to include some coronavirus-themed wallpaper downloads.
Bitdefender’s research team, led by Liviu Arsene, said that Google had started making adjustments to search algorithms within Google Play to filter or remove dodgy coronavirus apps as soon as the World Health Organisation (WHO) declared a pandemic on 11 March 2020.
For example, keyword searches would display no search results in the app section of the Google Play Store, and Google also set up a dedicated webpage within the Google Play marketplace to display legitimate or relevant applications.
“Google Play also prohibits developers from capitalising on sensitive events and our long-standing content policies strictly prohibit apps that feature medical or health-related content or functionalities that are misleading or potentially harmful,” said Google and Alphabet CEO Sundar Pichai at the time.
However, said Bitdefender, at the time of disclosure, 22 apps using the ‘coronavirus’ keyword were still online, many of them official and listed under ‘Health and Fitness’ and ‘Medical’ categories. It said 280 apps had been removed, including many regional or global coronavirus tracking apps.
Where things become more murky and dangerous is in the world of third-party marketplaces, which is where more of the outright malicious apps exploiting coronavirus are to be found.
“As expected, most of these malicious applications leverage the coronavirus pandemic to scare users into installing the apps. Others use variations on coronavirus domains to hide their command and control infrastructure,” wrote Bitdefender’s Arsene in a threat disclosure blog.
Among these apps are the Anubis banking trojan, which now imitates a coronavirus information app and asks for accessibility on installation. If authorised by its victim, it can then request other permissions and accept them on its own. It throws users off track by redirecting them to a coronavirus statistics website and hides its icon while it gets to work in the background.
Another dangerous app gaining traction around the world is the Iranian corona information app AC19 – which came to prominence early on in the outbreak when it became clear it was likely a piece of spyware. The sample seen by Bitdefender asks for permissions to scan for the coronavirus, but is in fact asking for sensitive Android app privileges that let it continue its malicious activities.
Meanwhile, an app called Coronavirus Tracker dispenses adware to its victims. When started, it claims to be unavailable in the user’s country and then hides itself, staying out of sight for a while before bombarding the user with unwanted ads, although oddly it does not always hide itself when found on Xiaomi devices. “While the reason is unknown, this could indicate that Xiaomi is a personal favorite of the malware authors,” noted Arsene.
Bitdefender’s researchers also turned up examples of the infamous Joker trojan capitalising on the coronavirus outbreak, hiding its command and control (C2) server with a Covid-19-related domain variation. It is distributed with a game called iFun that has been packaged up with the Joker malware, which then downloads its payload to the victim’s device.
“The coronavirus pandemic might have everyone running around after information, searching for applications that offer live monitoring or even medical appointments to get tested,” said Arsene.
“It’s always recommended that you install only official apps from official marketplaces, and seek information only from official sources. Also, it’s crucial to make sure you have a mobile security solution that can keep you and your device safe from malware and other online threats.”
Read more about the coronavirus’s impact on cyber security
- The UK’s National Cyber Security Centre has issued a public alert and fresh guidance as more cyber criminals get wise to the lucrative potential of Covid-19.
- With schools now shut across the UK, parents will bear more responsibility for keeping children safe online and educating them about online harms.
- The Maze ransomware group has published personal and medical details of thousands of former patients of a medical research company after a failed attempt to disable the firm’s computer systems.