Over the past several weeks we have seen numerous email phishing scams related to the COVID-19 pandemic. There have been outbursts of emails promoting product scams that include convincing people to buy items such as disinfectants, masks, and hand sanitizers, then sending the victims anything but what was ordered (if anything at all). More sophisticated criminal activities include selling drugs and medicine with promises that they will help fight the virus, but which, of course, do nothing of the sort.
A larger proportion of these phishing emails and SPAM sends have had embedded viruses, ransomware, and other types of malware. Infected users are unwittingly installing backdoors or remote access Trojans that open their systems to ransomware, becoming part of a botnet, or any number of other computer woes.
The attacks appear to have shifted in focus and are heavily targeting mobile applications. In recent days I have seen more and more malware solely aimed at mobile devices. For instance, I analyzed some Android downloads that appear to advertise themselves as COVID-19 informational applications. I am finding many that simply trick users into entering personal information, steal content from their mobile devices, and in some cases directly attack the user and mobile device with malware.
The Kinda Terrible
One example is the covidMapv8.1.7.apk application. It has an unusual number of permissions it requests from the mobile Android device that includes:
CALL_PHONE
INTERNET
READ_CONTACTS
READ_PHONE_STATE
READ_SMS
RECEIVE_BOOT_COMPLETED
RECEIVE_SMS
REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
SEND_RESPOND_VIA_MESSAGE
SEND_SMS
The app is able to read your contacts, and can also send/receive SMS messages. SMS fraud is something mobile phone users have been dealing with for some time – this is nothing very new. Many of us have seen SMS shortcode sends (those 5-6 number messages), and in some cases sending SMS messages to a specific phone number can result in additional charges that relate to fraud (see the explanation below).
However, I believe this particular application may be using SMS messages to send victims a ransomware link. Upon analysis, I found several strings within the application that tries to unlock and open access to the mobile device.
Not too bad, though. Right?
I was thinking the application, in and of itself, was not horribly malicious. But then things changed. I observed it reaching out to an IP address (108.177.15.188). I ran it through some sites and it did not show up as a malicious one. Maybe a dead link? I’m not sure.
But then it also reached out to two URLs, one of which (hxxp://lanadelrey.top) was detected as malicious. So it connects out to at least one known malicious site, through which control of your device becomes a certainty.
The Really Terrible
The second application is a file named CoronaVirus-apps.apk, and it appears to be much more malicious in nature. During my analysis:
· The application collected all contact and address book information.
· Location tracking and audio capture permissions were also requested from the application.
Like most other mobile malware samples, it tried to commit SMS premium toll fraud. Basically, let’s say you want to purchase a ringtone or wallpaper for your device. You can do this by texting to a short code, get the content, and be billed for it on the next payment cycle. Cybercriminals can make a lot of money by getting your system to ‘purchase’ premium items without you knowing it. Your phone bill might look a little off if they want to do lots of small collections spread out among a large group of victims, which is typical.
There was also evidence the application may be participating in click fraud to generate revenue for the cybercriminal. This is a type of fraud that occurs within the pay-per-click model many Internet sites use. Advertisers pay the host according to clicks to the site, because their ads are being viewed. Cybercriminals get your device to imitate a legitimate user of a web browser that clicks to their fraudulent site that is set to receive payment for those clicks.
The application also connected out to a known malicious URL: hxxp//botduke1.ug
Here are the permissions this malware requested within the victim’s Android device – quite a few more than the malware example above:
ACCESS_LOCATION_EXTRA_COMMANDS
ACCESS_NETWORK_STATE
BIND_ACCESSIBILITY_SERVICE
BIND_JOB_SERVICE
BIND_NOTIFICATION_LISTENER_SERVICE
BROADCAST_STICKY
CALL_PHONE
FOREGROUND_SERVICE
GET_ACCOUNTS
INTERNET
MODIFY_AUDIO_SETTINGS
PROCESS_OUTGOING_CALLS
READ_CONTACTS
READ_EXTERNAL_STORAGE
READ_PHONE_STATE
READ_SMS
RECEIVE_BOOT_COMPLETED
RECEIVE_SMS
RECORD_AUDIO
REORDER_TASKS
REQUEST_COMPANION_RUN_IN_BACKGROUND
REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
SEND_RESPOND_VIA_MESSAGE
SEND_SMS
USE_FULL_SCREEN_INTENT
WAKE_LOCK
WRITE_EXTERNAL_STORAGE
This particular piece of malware seemed to be much more invasive and capable of controlling the device.
I had some fun digging through these samples, but apart from analyzing them, I feel bad for the good people that get tricked into opening these up in their systems.
Please be careful of what you download and enable on your devices – particularly in any time of crisis. Cybercriminals truly reap higher rewards in time of confusion – the general state of alertness is weakened when we deal with a large-scale disaster, such as a pandemic event.
If you were hit by one or the other, my sympathies. If not, I thought it might be useful to provide the SHA256 hashes for these two examples.
a754c35dd09677b0b96d8a0dad5c9c5fdd28abd8cf2d8d38a9bd945ca8362e02 CoronaVirus-apps.apk
2b43af46398ece7b9e1e41bb7c2e2ff3ec227edb38283bea7622115bb76a7823 covidMapv8.1.7.apk
Until next time – be safe, stay healthy, and remain alert in fighting cybercrime!
Comments