For months now, cybercriminals have used coronavirus-themed emails, messages and software to trick people into downloading malware and other malicious programs designed to steal information and harm people.
Kristin Del Rosso and other threat researchers with cybersecurity company Lookout have found a new kind of coronavirus cyberattack designed to spread potentially malicious Android applications that appear to be the most recent piece of tooling in a larger mobile surveillance campaign operating out of Libya and targeting Libyan individuals.
In a blog post on Wednesday, Del Rosso said Lookout researchers have discovered mobile surveillanceware imitating a COVID-19 app with deeper connections to 30 other apps that integrate a commercialized “off-the-shelf” spyware kit, enabling it to quickly capitalize on this crisis.
SEE: Coronavirus and its impact on the enterprise (TechRepublic Premium download)
“This surveillance campaign highlights how in times of crisis, our innate need to seek out information can be used against us for malicious ends. Furthermore, the commercialization of ‘off-the-shelf’ spyware kits makes it fairly easy for these malicious actors to spin up these bespoke campaigns almost as quickly as a crisis like COVID-19 takes hold,” Del Rosso wrote.
“That’s why, even in times of crisis, it’s important to avoid downloading apps from third-party app stores and clicking suspicious links for ‘informative’ sites or apps spread via SMS, especially from an unknown number,” she said.
The Android application Lookout researchers found is named “corona live 1.1” and when it is downloaded, it asks for access to all of a user’s photos, media, files and device location, as well as permission to take more photos and record video.
According to Del Rosso, the “corona live 1.1” app is actually a SpyMax sample, a trojanized version of the legitimate “corona live” application which provides an interface to the data found on the Johns Hopkins coronavirus tracker, which includes information on infection rates and death totals in each country.
“SpyMax is a commercial surveillanceware family that appears to have been developed by the same creators as SpyNote, another low-cost commercial Android surveillanceware. SpyMax has all the capabilities of a standard spying tool, and forums referencing the malware praise its ‘simple graphical interface’ and ease of use,” Del Rosso added.
“SpyMax allows the actor to access a variety of sensitive data on the phone, and provides a shell terminal and the ability to remotely activate the microphone and cameras. While this ‘corona live 1.1’ application itself appears to be waiting for more functionality, it stores command and control information in resources/values/strings as is common in SpyMax and SpyNote samples, where it contains the hard-coded address of the attacker’s server,” she said.
Researchers at Lookout managed to use this domain to discover 30 other APKs that have the same basic infrastructure and are part of a bigger surveillance campaign that began in April 2019. These applications are part of a larger family of commercial surveillanceware that include SpyMax, SpyNote, SonicSpy, SandroRat, and Mobihok.
At least three new apps related to coronavirus have been created using the same infrastructure as those applications and the Lookout investigation discovered that they can be traced back to IP addresses operated by Libyan Telecom and Technology, a consumer internet service provider.
“The person or group running the campaign is likely in Libya and using their own infrastructure to run the C2, or is leveraging infrastructure they have compromised there. As the applications are also specifically aimed at Libyan users, this appears to be a regionally targeted surveillance effort,” Del Rosso wrote.
“While Lookout researchers have not seen anything at the moment to indicate this is a state-sponsored campaign, the use of these commercial surveillanceware families has been observed in the past as part of the tooling used by nation states in the Middle East. While nation states can and do develop their own custom tooling, they have also been known to use out-of-the-box open-source and commercial tools, as well as sometimes use commercial or open source malware as a starting point to develop their own malware,” she said.
She added that one of the most worrying aspects of this campaign is that the malware being used can be found and purchased fairly easily before it is customized. Other researchers with Lookout have discovered a number of ties between these applications, identifying that SpyNote and Mobihok have fairly cheap licensing costs and even go so far as to offer support for users to set up their applications.
The ease of use and widespread offers of help or support make it likely that others will use these applications and customize them for their own uses.
Unfortunately, this is not the only coronavirus-related scame cybercriminals are leveraging right now.
Sophos Security Expert Chester Wisniewski wrote another blog post describing a new scame where cybercriminals impersonate the newly developed COVID-19 Solidarity Response Fund, demonstrating just how savvy cybercriminals have become at adapting and updating their attack methods as real-time news regarding COVID-19 unfolds.
“As people’s fear and desire to do something about COVID-19 is dominating the news, it is also being exploited in every way by online criminals. First, Sophos noticed phishing attackers using the World Health Organization (WHO) as a lure. Next, numerous malware gangs began to disguise their malicious wares as COVID-19-themed documents. Now today, we are seeing cyberattackers impersonating WHO charities, this time the COVID-19 Solidarity Response Fund,” Wisniewski said.
“These emails are fake, but very real looking and take advantage of new and until recently unheard of charitable organizations. We haven’t seen the novel nature of this attack before – impersonating charities around COVID-19. Any time the public’s interest becomes fixated on a topic, scammers, spammers and malware authors latch on to the news and are determined to find a way to exploit the opportunity. We’ve seen this type of activity in the past, but rarely is the whole world so focused on one thing, making this chance to develop scams a little too good to be true for cybercriminals,” he said.
He added that almost all of the malicious online activity Sophos is seeing right now has in one way or another taken advantage of a COVID-19/Corona theme.
Cybercriminals are flooding inboxes with spam and scams related to masks, fake cures of guides to coronavirus-proof bunkers.
Wisniewski said common email-borne malware families like Fareit and Trickbot are sent under the guise of Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO) themed emails.
Hackers are now pretending to be charities associated with aid groups addressing the spread of coronavirus. They send emails asking for payment in Bitcoin and other crypto currencies seeking to steal money and stay hidden.
“Whether you trust your government or not, criminals are emailing you to exploit your fear or distrust. Let’s be clear. If you want advice from those who truly know what is happening, visit the website of your local health authority or ministry of health. Make a bookmark in your browser for the *real* WHO website at https://www.who.int, and if you really want to make a financial contribution to those helping us stay safe in this fight, don’t send Bitcoin, but go to the official website for the COVID-19 Solidarity Response Fund at https://www.covid19responsefund.org/,” Wisniewski said.