Fake Coronavirus Tracker App Bricks Phone & Demands Ransom
Cybercriminals have launched an app capitalising on the public’s fear of the COVID-19 Coronavirus which contains malware that locks up a user’s phone until a ransom is paid.
According to reports, victims are given 48-hours to pay a ransom in the form of cryptocurrency equating to USD $100 in exchange for a decryption code. The cybercriminals add that “your GPS is watched and your location is known. If you try anything stupid your phone will automatically be erased,” while also threatening to leak sensitive information and photos onto social media.
The malware-filled app, now dubbed the ‘CovidLock’ application was reportedly first discovered by Chad Anderson and Tarik Saleh, two senior security engineers and malware researchers at DomainTools have also recently published a blog expanding on the discovery.
Saleh writes that “cybercriminals like to exploit people when they are at their most vulnerable. They use dramatic events that cause people to be emotional or fearful to drive their profits. Any time there are major news cycles happening on a topic that stirs a strong reaction, cybercriminals will not be far behind,” he said.
The researchers took note of a rise in the number of domain names being registered associated with the Coronavirus and realised that these weren’t benevolent or informative websites.
“Shortly after the first cases were confirmed, DomainTools’ researchers observed a minor uptick in domain names leveraging Coronavirus and COVID-19. These registrations have peaked significantly in the past few weeks and many of them are scams,” Saleh added.
“The DomainTools security team discovered a domain (coronavirusapp[.]site) that claims to have a real-time Coronavirus outbreak tracker available via an app download. The domain prompts users to download an Android app that will give them access to a Coronavirus map tracker that appears to provide tracking and statistical information about COVID-19, including heatmap visuals.”
“In reality, the app is poisoned with ransomware. This Android ransomware application, previously unseen in the wild, has been titled “CovidLock” because of the malware’s capabilities and its background story. CovidLock uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as the screen-lock attack and has been seen before on Android ransomware.”
The two researchers have announced that they plan to post the details of reverse-engineered decryption tools for the public to access in the event they are caught out by the malware.
According to SCMagazine “the researchers are also monitoring transactions associated with the attackers’ bitcoin wallet.”
Shai Alfasi, a researcher with Reason Labs published news of a very similar discovery more a week ago that was targetting laptop and desktop users, when he discovered a Coronavirus threat map that was actually malware in disguise, once again taking advantage of vulnerable individuals looking for information. Alfasi said that at first glance, “the malware has a graphical user interface that looks very good and convincing.”
“This technique is pretty common,” Alfasi said. “I came across it once before, and after doing some digging around, discovered that this information-stealing tactic came from a malware family called ‘AZORult,’ which was first seen in the wild in 2016.”
The malware is a staple on the Russian black market, and is able to steal credit card information, cryptocurrency logins, browsing history, cookies and can even download more malware onto the infected machine.
This is not to be mistaken with Microsoft’s official COVID-19 tracker which was launched yesterday which you can access here.