Researchers Discover Coronavirus Malicious Applications: What you Should Know
During the time of this pandemic, especially over the last 30 days, numerous articles have been published recommending that we keep our mobile phones clean to reduce the risk of Coronavirus infection. One one hand, there definitely is a debate whether it’s absolutely necessary to clean your phone case and screen to get rid of possible germs, but it is definitely a good idea to watch out for other, internal types of infection that your phone could pick up.
Skilled hooligans are exploiting peoples’ concerns about Coronavirus to spread mobile malware. This includes Mobile Remote Access Trojans (MRATs), Banker Trojans, and Premium Dialers, via apps which claim to offer Coronavirus-related information and aid for users.
Researchers and data experts have found 16 different malicious apps. These apps are all masquerading as legitimate coronavirus apps, containing a plethora of malware that aims at stealing users’ sensitive information and/or generating fraudulent revenues from premium-rate services.
How harmful they are?
From the research, it was visible that none of the malicious apps were found on an official app store. These apps were offered from new Coronavirus-related domains. Researchers believe that these links were created specifically with the aim of deceiving and hoodwinking users.
Researchers say that at least 30,103 new coronavirus-related domains were registered, of which 0.4% (131) were malicious and 9% (2,777) were suspicious and under investigation. This means over 51,000 of coronavirus-related domains in total have been registered since January 2020.
As an independent developer, as a mobile app development company or as an enterprise, you need to protect all your customers, employees’ and clients along with their devices against sophisticated mobile cyberattacks with various solutions available online. You can also consult your development partner or your mobile app development company in case you wish to protect the devices in your enterprise. such as Check Point SandBlast Mobile.
The Technicalities
Metasploit
From the research it was found that the Metasploit Framework is an exploitation and vulnerability validation tool that is being used for penetration tests. This particular framework lets the user customize a payload using various amounts of exploitation and delivery techniques. Metasploit is often used for malicious intentions by threat mongers.
You will see that the usage of this framework is very simple and it is easy to learn. Anyone who has basic knowledge in computers and the access to the right environment, will be capable of craft malicious and sophisticated programs, using the newest vulnerabilities and using them for any desired purpose.
Created by Metasploit Framework, three samples were found carrying the name — ‘coronavirus.apk’. This particular app can be easily delivered and installed on large numbers of devices, and can fulfil almost every malicious action the threat actor wishes. If this app gets executed on the device, it starts a service which hides its icon in order to make it harder to get rid of it.
The app continues by connecting to a Command and Control server that is stored in an array in the malware’s code, in order to load a malicious dex payload module.
Cerberus
Cerberus is a malicious Android Banking Trojan. It is a well-known Maas or Malware-as-a-Service which enables anyone to rent its services to build their own payload, and configure, command and control any devices infected with it. Currently there are 3 different samples being downloaded from Corona theme domains –
http:// coronaviruscovid19-information [.] com/it/corona.apk
https:// coronaviruscovid19-information [.] com/it/corona.apk
https:// corona-apps [.] com/Corona-Apps.apk
These are the notorious Cerberus samples which hide behind names like ‘corona.apk’ & ‘Coronavirus_no_push_obf.apk’. The ‘corona’ is being exploited across the web.
This trojan has the ability to log all keystrokes on the device; including credentials, stealing Google Authenticator data and any SMS received for OTP, and commanding the device remotely via TeamViewer. This makes it an extremely dangerous and powerful malware.
CallPay Premium Dialer
These are malware hiding as applications for mobile devices that make the victim subscribe to premium services without his\hers approval and even without informing them.
Currently there is a malicious premium dialer doing rounds on the web called coronaviral.oca.sdoasd, this is also its package name.
It includes 2 services, where the first is called, SmsService. This service performs an HTTP POST request to –
http:// app [.] spnewsource [.] com/scripts/app_mobile_message_get_nums.php. It contains different parameters. When the data is posted successfully, it receives back as a response a phone number and a designed text message that it will send to the phone number.
The second service is called DialService. This job of this service is also to perform an HTTP POST request to http://app [.] spnewsource [.] com/scripts/app_call_request.php along with the same parameters like the previous service. In return this will receive a phone number to which the application will call.
Hiddad
Hiddad has been hunting for its victims on the web for a while now. It is short for “Hidden Ad”. This malware has been seen in many different variants. It has surfaced again to exploit the need of the hour. The malware is on the web disguised as a Corona-Information app for Arab speakers, called ‘کرونا ویروس .apk’.
When it gets executed, the Hiddad malware hides its icon, making it very hard to find and remove. It then eventually starts to distribute ads to the user’s screen, whenever the user is inside the app or not.
Endnotes
As a user we should be always vigilant about such malicious content doing rounds on the web. The best thing to do is, never download an app that is not available on the play store and avoid downloading anything from websites that do not have an SSL certificate.
