CoronaScam.org

Coronascam Fake COVID-19 tracking applications spotted

Fake COVID-19 tracking applications spotted

With the sudden spread of COVID-19, the need for some tool that would help trace contact between people quickly arose. The purpose of tracking applications is to use smartphones as a tool to track interactions between people in order to provide information to users if they have come in contact, or have been in close proximity, to a person confirmed positive of infection with the virus. 

With the sudden spread of COVID-19, the need for some tool that would help trace contact between people quickly arose. The purpose of tracking applications is to use smartphones as a tool to track interactions between people in order to provide information to users if they have come in contact, or have been in close proximity, to a person confirmed positive of infection with the virus. 

Tracking applications are now often encouraged or even mandatory to use in many countries, and therefore have a high number of users. With that, many malicious applications resembling official versions of these tracking applications have begun to appear. Mostly, with the intention to steal sensitive information from users. 

Some of the most popular threats these users can encounter are being infected by bankers or spyware applications. 

Banker is a type of malware application that usually misuses Android’s accessibility service to grant itself the capability to steal sensitive data more specifically, log-in credentials, passwords, and one-time authentication tokens. 

Similar or identical icons and names resembling the original application are often used to trick the user into thinking that the application is legitimate. 

These types of apps usually don't offer the advised COVID-19 related functionality to the user, and their purpose is only to collect the user's sensitive data. Most of them hide their presence on the device shortly after installation in hope that the user will eventually forget they ever installed them. 

We’ve encountered several variants of such bankers for some of the official tracking applications, specifically British COVID Symptom Tracker, Indian Aarogya Setu, and Russian app.

Examples of bankers found:

Name

Package name

sha256

Coronavírus - SUS

wocwvy.czyxoxmbauu.slsa

D7FC4377B7A765D6BC3901D0DE010080
95965D02062FDA3707957163AFE8884D


Corona Track

njrubljhdew.zkqncfm.cdjqppywpayaaciuwswzu

9FFDA0C1E8E9E9C63C5219941F3F72F04
EF8027B2ED8443498100DF27E00B8B0

Corona

com.ygmdflerbfvl.tbistzkei

484F6862473B96487B7D2CB1079DF5124
03ED48AB25ADF6AA3738FB39ACC625B

Corona

com.xwrmnh.qoszdczhgyt

BB1146C08E39E704DC50C81BA12169D0EE
DE42C38FE9EA5EEDAE74952C75433A

Covid19

hkflsxtoqzybtnk.bekcgmgokixinuo.
jamqjxyajdubklkpatutw

1726cdd1bc9511216d1162b49000dd830ca
863138f26fd27aa68c13e16ad7e73

Covid19

zpihicsrqznizsqcmw.
xdfkqojzwozggpbyplbnheeify.
ftfdjaeofqyainaghrdd

b8309cbbd739f0ae73ca7b1b6bd6e606e
5799fa7f7cd16b70cc1aeb302b63dd2

COVID-19

anubis.bot.myapplication

090B5FB792B62225DF6CA55FAC2D96
B630D596A61B7071009E0084056D042
40A

Spyware is a type of malware that, without the user’s consent, tracks their activity on their phone. Given the focus of the original apps, and the expectations they set (i.e. contact tracing), these apps are already expected to be able to access some personal information from the start. It is therefore not surprising that spyware authors are cashing in on this fact, and covertly slip in a couple extra permissions to track even more of the users’ activities. 

In some cases, the spyware app masking as the legitimate app tricks the user upon installation into granting it all sensitive permissions. We’ve often seen that the original legitimate app is installed afterwards by the spyware app to actually give the user the required functionality they were after, leaving the spyware app to hide itself from sight (by hiding its launcher icon) and remain installed on the victim’s device. All the collected sensitive data, call logs, SMS logs, and anything the spyware operator is after, is then silently sent to the attacker’s servers in the background.

As in the case of bankers, a similar or identical name and icon resembling the original app is used to deceive the user and ‘force’ him into the installation of this spyware application. 

 

Examples of spyware found:

Name

Package name

sha256

Aarogya Setu

com.android.tester

885D07D1532DCCE08AE8E0751793
EC30ED0152EEE3C1321E2D051B2F0
E3FA3D7

Aarogya Setu - AddOn

yps.eton.application

F733DED73D4F498327480D232E41
5465C0F5654A69B431DA081F8399
8B49EAD2

Aarogya Setu Installer

nic.gov.aarogyasetuinstaller

D66C926AAB6B15CFEE786499645
FDA64782C752CAE6DD3D4154FAB
81F7FE8744

Corona

com.facebook

45F82AFBE6576A6DBF458490C1D4
577EFCA5C61899B3E9ECA5BBFC6A
DF56519E

Corona

com.facebook

7E5B04636C88C5C7FBCDF09D0578
FBD487DDABC613B5648176D449548
3D802EB


How can you identify these apps?

First, and probably the most important thing, is to make sure that the source you are downloading the application from is reliable. Make sure you are using the government or public health office’s official websites, websites of the official provider of the application, or official app stores Google Play or AppStore. 

Don't rely solely on the icon since this is usually the only part that bankers share with the official app. In the case of bankers, a very good indicator that the app is malicious is its package name, which is often composed of a random set of letters. For example: zpihicsrqznizsqcmw.xdfkqojzwozggpbyplbnheeify.ftfdjaeofqyainaghrdd.

The size of the app can also be an indicator that there is something suspicious, since most of the official apps have a size roughly between 10MB to 20MB, and the malicious app is usually much smaller (1-4MB). But that’s not always the case. 

If anything feels off, best to be cautious and double-check the available official materials or use some guidance from someone who may be more experienced.