On March 26, Symantec discovered 11 Android applications that were all made to appear like they were legitimate apps related to tracking cases in the Covid-19 pandemic, but which were in fact secretly downloading a malicious payload after installation.
The coronavirus pandemic is the main news story all over the world right now, with hundreds of thousands of cases and thousands of deaths.
These applications were created after March 20, a time when Covid-19 was spreading widely, particularly in Europe. From the apps’ user interface (UI) (see Figure 1) we can see these apps were targeting Italy, which has the most confirmed cases of Covid-19 in Europe, though it is now closely followed by Spain. However, even though it is clear the malicious apps were targeting Italy, we did also see them installed on devices in the U.S. and France as well.
All 11 of the malicious apps we discovered were repacked versions of a legitimate app, SM_Covid19 app, which “assesses the risk of transmission of the virus by monitoring the number, duration and type of contacts [people have]”. The repacked apps kept many of the features of the original app, such as collecting location and device information for Covid-19 monitoring. However, we found that the repacked apps were also injected with Metasploit, which allows for a reverse TCP connection and for various commands to be executed. The attackers can retrieve the compromised device user’s file information, SMS messages, contacts and even take screenshots of what the device is displaying.
The malware used also had a malicious module added that could download any payload from the attackers’ servers. This functionality means it would be possible for the attackers to perform the same attack on all users at the same time; it also means they could use all infected devices to create a botnet, potentially to do something such as perform a distributed denial of service (DDoS) attack or similar. The malicious apps’ ability to download any payload means they could in theory be used to infect a victim’s device with ransomware, infostealers, coinminers, or any other type of malware.
After decrypting the app, we were able to find the IP address of the control server. After investigating the server address, we found that the server was also located in Italy. We also discovered that the attackers also used a second server IP [188.8.131.52] for attacks.
This campaign shows that even at times of great global crisis attackers will try to take advantage of popular topics in an attempt to infect victims with malware, but there are some simple steps device users can take to help protect themselves from this type of activity.
- Install a suitable security app, such as Symantec Endpoint Protection, to protect your device and data.
Always download and install applications from official websites and app stores only.
Symantec and Norton products detect the extensions as the following:
Indicators or Compromise (IoCs)
We encourage you to share your thoughts on your favorite social platform.