Jo Panuwat D - stock.adobe.com
Fake contact-tracing apps delivering banking trojans
Spoof government coronavirus apps are popping up all over the world, says the Anomali Threat Research team
A wide range of official Android Covid-19 contact-tracing apps are being spoofed by cyber criminals and used to deliver the Anubis and SpyNote malware strains, according to new research by threat researchers at Anomali, which specialises in machine learning-enhanced security intelligence.
The fake apps, mostly targeting Android devices, are designed to download and install malware to monitor their targets, and steal banking credentials and other valuable personal data. Anomali said it believed the fake apps were being distributed via other apps, third-party stores and websites, and none of them had been spotted in the official Google Play Store.
All told, the Anomali Threat Research (ATR) team found 12 malicious apps targeting citizens of Armenia, Brazil, Colombia, India, Indonesia, Iran, Italy, Kyrgyzstan, Russia and Singapore. There can be little doubt that others exist that have not yet been detected, said ATR.
“The potential security and privacy-related risk of malicious Covid-19 apps is evident in Anomali Threat Research and other security researchers’ findings,” said the team in a disclosure blog.
“Threat actors continue to imitate official apps to take advantage of the brand recognition and perceived trust of those released by government agencies. The global impact of the Covid-19 pandemic makes the virus a recognisable and potentially fear-inducing name, which actors will continue to abuse.”
Anubis, an Android banking trojan, has been around since 2017 and pretends to be a legitimate app update. It uses custom injects designed to make the victim think they are using their real banking app, while the criminal-controlled overlay sitting on top of the app siphons off the victim’s credentials and other sensitive information.
The SpyNote Android trojan, first identified by Palo Alto Networks’ Unit 42 threat intel team back in December 2016, has the primary objective of gathering, monitoring and exfiltrating data on its targeted devices. It shares code similarities and other functionality with two other remote access trojans (Rats), DroidJack and OmniRat.
Chris Hauk, consumer privacy champion at Pixel Privacy, said: “Bad actors have never been reluctant to capitalise on crises or tragedies, and the Covid-19 pandemic is no exception. As we are encouraged to install Covid-19 contact tracking on our mobile devices, criminals will use this as an opportunity to infect our devices with malware.
Read more about Android security
- Manufacturers of Android devices including Huawei, Samsung and Xiaomi shipped devices with different levels of security in different regions, leaving their users exposed to attack.
- Mobile admins must understand the nature of the most recent Android security threats so they can protect users, but it is crucial to know where these verified threats are listed.
- Google expanded its Android bug bounty programme to include data exfiltration and lock screen bypass and raised its top prize for a full chain exploit of a Pixel device.
“I urge users to take care as to which apps they install on their devices, and never to install apps from sources other than the authorised Google Play Store and iOS App Store, both of which have an app review system in place that usually detects malware in apps that are submitted to the stores.”
More information on Anomali’s findings, including screenshots of some of the fake apps, can be found here.
The possibility of contact-tracing apps being open to exploitation by cyber criminals has been one of the most prominent objections to their use in the fightback against the coronavirus pandemic, and despite its delayed release, the UK government’s beta app was targeted by scammers almost immediately after it was launched on a limited basis on the Isle of Wight.