Over the past several weeks we have seen numerous email phishing scams related to the COVID-19 pandemic. There have been outbursts of emails promoting product scams that include convincing people to buy items such as disinfectants, masks, and hand sanitizers, then sending the victims anything but what was ordered (if anything at all). More sophisticated criminal activities include selling drugs and medicine with promises that they will help fight the virus, but which, of course, do nothing of the sort.
A larger proportion of these phishing emails and SPAM sends have had embedded viruses, ransomware, and other types of malware. Infected users are unwittingly installing backdoors or remote access Trojans that open their systems to ransomware, becoming part of a botnet, or any number of other computer woes.
The attacks appear to have shifted in focus and are heavily targeting mobile applications. In recent days I have seen more and more malware solely aimed at mobile devices. For instance, I analyzed some Android downloads that appear to advertise themselves as COVID-19 informational applications. I am finding many that simply trick users into entering personal information, steal content from their mobile devices, and in some cases directly attack the user and mobile device with malware.
The Kinda Terrible
One example is the covidMapv8.1.7.apk application. It has an unusual number of permissions it requests from the mobile Android device that includes:
The app is able to read your contacts, and can also send/receive SMS messages. SMS fraud is something mobile phone users have been dealing with for some time – this is nothing very new. Many of us have seen SMS shortcode sends (those 5-6 number messages), and in some cases sending SMS messages to a specific phone number can result in additional charges that relate to fraud (see the explanation below).
However, I believe this particular application may be using SMS messages to send victims a ransomware link. Upon analysis, I found several strings within the application that tries to unlock and open access to the mobile device.
Not too bad, though. Right?
I was thinking the application, in and of itself, was not horribly malicious. But then things changed. I observed it reaching out to an IP address (184.108.40.206). I ran it through some sites and it did not show up as a malicious one. Maybe a dead link? I’m not sure.
But then it also reached out to two URLs, one of which (hxxp://lanadelrey.top) was detected as malicious. So it connects out to at least one known malicious site, through which control of your device becomes a certainty.
The Really Terrible
The second application is a file named CoronaVirus-apps.apk, and it appears to be much more malicious in nature. During my analysis:
· The application collected all contact and address book information.
· Location tracking and audio capture permissions were also requested from the application.
Like most other mobile malware samples, it tried to commit SMS premium toll fraud. Basically, let’s say you want to purchase a ringtone or wallpaper for your device. You can do this by texting to a short code, get the content, and be billed for it on the next payment cycle. Cybercriminals can make a lot of money by getting your system to ‘purchase’ premium items without you knowing it. Your phone bill might look a little off if they want to do lots of small collections spread out among a large group of victims, which is typical.
There was also evidence the application may be participating in click fraud to generate revenue for the cybercriminal. This is a type of fraud that occurs within the pay-per-click model many Internet sites use. Advertisers pay the host according to clicks to the site, because their ads are being viewed. Cybercriminals get your device to imitate a legitimate user of a web browser that clicks to their fraudulent site that is set to receive payment for those clicks.
The application also connected out to a known malicious URL: hxxp//botduke1.ug
Here are the permissions this malware requested within the victim’s Android device – quite a few more than the malware example above:
This particular piece of malware seemed to be much more invasive and capable of controlling the device.
I had some fun digging through these samples, but apart from analyzing them, I feel bad for the good people that get tricked into opening these up in their systems.
Please be careful of what you download and enable on your devices – particularly in any time of crisis. Cybercriminals truly reap higher rewards in time of confusion – the general state of alertness is weakened when we deal with a large-scale disaster, such as a pandemic event.
If you were hit by one or the other, my sympathies. If not, I thought it might be useful to provide the SHA256 hashes for these two examples.
Until next time – be safe, stay healthy, and remain alert in fighting cybercrime!