Purporting to offer help and info on COVID-19, the apps can let hackers take control of devices to access files, contacts, the calendar, and more, according to Check Point Research.
Mobile malware can be a threat at any time. But as cyber criminals exploit the coronavirus with phishing emails, ransomware, and other attacks, so too are they concocting phony coronavirus-themed apps to infect mobile devices. A new collection of Android apps analyzed by cyber threat intelligence provider Check Point Research purport to offer help and info on COVID-19 but instead deliver remote access trojans and other malware.
For its report "COVID-19 Goes Mobile: Coronavirus Malicious Applications Discovered" released Thursday, Check Point detailed its discovery of 16 different apps all masquerading as legitimate coronavirus apps. Installing these apps on an Android device unleashes malware that attempts to steal sensitive information or fraudulently generate money from premium services. The malware includes Mobile Remote Access Trojans (MRATs), Banker Trojans, and Premium Dialers.
SEE: Top Android security tips (free PDF) (TechRepublic)
None of the apps come from an official store such as Google Play. Instead, they're hosted on new coronavirus-themed domains, which Check Point researchers believe were created for the sole purpose of tricking unsuspecting users.
Since the coronavirus outbreak began in January, more than 51,000 virus-related domains have been registered. In just a two-week period in late March, more than 30,100 such domains were registered. Of those, 0.4% (131) were malicious and 9% (2,777) were considered suspicious and under investigation.
Tracing the path of one of the malicious apps, Check Point found that it was developed using Metasploit, a free-penetration testing framework. Virtually anyone with basic computer skills can use this tool to create malicious programs in less than 15 minutes, according to the researchers. Three samples uncovered by the company were given the name of coronavirus.apk.
In the samples found by Check Point, the apps were designed for delivery to a large number of mobile devices to take them over. Once installed, the apps start a service that can hide their icons to evade detection by the unsuspecting recipient. They then connect to a command and control center to download a malicious payload.
Analyzing the malware, Check Point discovered the Cerberus Android Banking Trojan, a known Malware-as-a-Service (Maas) that is available for rental by anyone who wants to build their own payload and control infected devices. Specifically, an infection by Cerberus can capture keystrokes and user credentials, steal Google Authenticator data, spy on SMS messages, and control the device remotely using TeamViewer. In this example, the researchers found three samples being download from coronavirus-themed domains.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
Other samples uncovered used Premium Dialer, which subscribes users to premium services without their knowledge or approval. Another piece of malware discovered was Hiddad, short for "Hidden Ad," which displays ads on the device's screen even if the app itself isn't open.
"Not only is there a physical threat from coronavirus, but also a substantial cyber threat," Aviran Hazum, manager of mobile research at Check Point, said in a press release. "Hackers are feasting around the fear of coronavirus by creating malicious applications that have names and icons suggesting they're harmlessly related to coronavirus, but truth is they are traps. In this case, what's alarming is the speed and simplicity in crafting these disguised coronavirus apps. I caution everyone to triple check the domains they click on these days."
To protect yourself from mobile malware, Check Point offers the following advice:
- Don't connect to public Wi-Fi networks.
- Enable remote lock and data wipe for mobile devices.
- Avoid answering or just block unsolicited calls.
- When you surf the web, especially on a mobile device, make sure you only use websites secured with SSL.
- Download applications only from the official app stores.
- Install a security solution to prevent potential infections.
- Update your device's operating system and applications to the latest versions.
- The latest cancellations: How the coronavirus is disrupting tech conferences worldwide (TechRepublic)
- The tech pro's guide to video conferencing (TechRepublic download)
- Coronavirus domain names are the latest hacker trick (TechRepublic)
- COVID-19 demonstrates the need for disaster recovery and business continuity plans (TechRepublic Premium)
- As coronavirus spreads, here's what's been canceled or closed (CBS News)
- Coronavirus: Effective strategies and tools for remote work during a pandemic (ZDNet)
- How to track the coronavirus: Dashboard delivers real-time view of the deadly virus (ZDNet)
- Coronavirus and COVID-19: All your questions answered (CNET)
- Coronavirus: More must-read coverage (TechRepublic on Flipboard)