Joint Investigation Reveals Evidence of Malicious Android COVID Contact Tracing Apps – Cyber Defense Magazine

By Peter Ferguson, Cyber Threat Intelligence Specialist at EclecticIQ’s Fusion Center

The devastation of the  COVID-19 pandemic has caused public-health and economic issues to countries around the globe, and the complications of which are far from over. In accordance to scientific guidance, many nations have launched contact tracing applications to monitor, identify, alert, and reduce the spread of infections.

However, the shift towards tracing apps has not always been smooth in the eyes of both the media and the public, with various concerns about the privacy of these tools. Considering such an app is an unprecedented phenomenon in a world that’s perhaps more connected than ever, it is easy to understand how some may see an Orwellian twist to the story, despite the arguable necessity for tracking in order to keep members of the public safe. In fact, a US survey by YouGov from April 2020 indicated that 43% of Americans believe that such an app would be an invasion of privacy and just one-third said they would install the app.

However, despite these concerns, as the pandemic continues and economic activity starts to resume, more and more countries have been looking into providing their own COVID-19 contact tracing applications. With this, it is likely that we’ll see threat actors exploit the window of opportunity of a new product being launched to the public in order to distribute malicious Android packages that pose as legitimate contact tracing applications while delivering banking trojans, spyware, and ransomware.

A recent joint investigation between EclecticIQ and the ThreatFabric research team has been produced into a report on this matter, with the findings suggesting that threat actors will almost certainly continue to use commodity and open source-based malware disguised as legitimate contact tracing applications for financial gain.

The low barrier to entry provided by these tools and the continued rollout of contact tracing applications by nations presents a continued financial opportunity for cybercriminals in the near future. Worryingly, we have observed evidence of malicious actors displaying their willingness to exploit the current pandemic by targeting legitimate contact tracing applications consistently in recent months. The samples analyzed by our research team had an earliest estimated build time of April 12^th, 2020 with the latest being June 23^rd, 2020.

Third-party tooling used to provide C2 anonymization

As part of our investigation, we have found examples of threat actors using third party tooling to provide anonymization to their command and control (C2) infrastructure. In our research, we found India to have been particularly targeted with malicious applications, with eight malicious applications that used Portmap.io, a commercially available port forwarding service, and Ngrok, a secure tunneling service.

Malicious Android packages distributed through phishing links

The examples of malicious contact tracing apps we analyzed were primarily distributed through phishing links designed to trick users into downloading a malicious Android package. One of the samples we analyzed, first identified by the MalwareHunterTeam, was disguised as an official contact tracing app for India and was an example of this phishing practice.

Furthermore, it would seem that the distribution of malicious Android packages disguised as legitimate contact tracing apps is consistent across the regions. As an example, ESET found that the official Canadian contact tracing app was targeted with ransomware, with users being lured into downloading the CryCryptor ransomware via two phishing links.

Investigation findings are consistent with previous open source reporting         

Our report found that the use of commodity and open-source based malware is consistent with previous open-source findings: Researchers at Symantec found that legitimate SM_Covid19 apps were repackaged by cybercriminals and injected with Metasploit, hence giving the identified samples Trojan capabilities. A further three samples were found to be disguised as the contact tracing app for India.

As part of our investigation, we also analyzed a publicly available malicious sample, disguised as the legitimate app for Singapore, which we found to be linked to the commodity Android Banking Trojan, Alien.

Malicious Android packages distributed for financial gain

From our analysis, we have assessed with high confidence that the majority of these malicious attacks on contact tracing apps are financially motivated. One of the indicators of this is the use of openly available tools, which require no financial input from the cybercriminals beyond the time needed to configure and deploy them.

Good advice to users would be to never download contact tracing Android applications from links sent to them or from third-party stores. If you’re interested in downloading your nation’s contact tracing application, we’d recommend the use of an official health body website or the Google Play Store. Social engineering remains an incredibly efficient tactic to manipulate users into downloading and installing a wide variety of malicious applications on mobile devices. As the crisis deepens, it has become increasingly important for users to remain cautious about the sources they download their software from and take due precautions when opening links that have been shared with them – spear phishing, the practice of luring victims to click on links or enter data via fraudulent emails that use a personalized approach can be incredibly deceiving even to the trained eye.

About the Author

Peter Ferguson is a Cyber Threat Intelligence Specialist at Amsterdam-based cybersecurity company EclecticIQ. He has a demonstrated history of working in the security industry, specializing in modeling threats to industry-standard models (Kill Chain, MITRE, STIX).

Peter can be reached online via LinkedIn and at our company website: https://www.eclecticiq.com/