Anomali Threat Research Identifies Fake COVID-19 Contact Tracing Apps Used to Download Malware that Monitors Devices, Steals Personal Data

<p>Authored by: Tara Gould, Gage Mele, Parthiban Rajendran, and Rory Gould</p><h2>Overview</h2><p>Threat actors are distributing fake Android applications themed around official government COVID-19 contact tracing apps. Anomali Threat Research (ATR) identified multiple applications that contain malware, primarily Anubis and SpyNote, and other generic malware families. These apps, once installed on a device, are designed to download and install malware to monitor infected devices, and to steal banking credentials and personal data. The wider security community continues to monitor ongoing malicious activity themed around COVID-19.^[1] ATR believes that the fake apps are likely being distributed through other apps, third-party stores, and websites, among others. As of the publication of this research, the fake apps had not been identified as being present in the Google Play Store.</p><p>Anomali Threat Research identified <strong>12</strong> malicious applications that appear to be targeting citizens of multiple countries. This activity consists of separate incidents of malicious activity themed around COVID-19 and should not be viewed as a coordinated campaign. Multiple countries were found to have malicious activity themed directly after government and/or malicious COVID-19-themed applications. Anomali Threat Research findings are shown below in Table 1.</p><p style="text-align: center;"><em>Table 1 - Malicious Applications</em></p><table class="table table-striped table-bordered" style="table-layout: fixed;"><thead><tr><th scope="col">Government Tracing App</th><th scope="col">Official Package Name</th><th scope="col">Malicious Package Name</th><th scope="col">Detection Name</th></tr></thead><tbody><tr><td>Armenia</td><td style="word-wrap: break-word;">am.gov.covid19</td><td style="word-wrap: break-word;">am.ac19.health</td><td style="word-wrap: break-word;">*Trojan</td></tr><tr><td>Arrogyasetu (India)</td><td style="word-wrap: break-word;">nic.goi.aarogyasetu</td><td style="word-wrap: break-word;">com.android.tester</td><td style="word-wrap: break-word;">Spynote</td></tr><tr><td>Brazil</td><td style="word-wrap: break-word;">br.gov.datasus.guardioes</td><td style="word-wrap: break-word;">wocwvy.czyxoxmbauu.slsa</td><td>Anubis</td></tr><tr><td>Chhattisgarh</td><td style="word-wrap: break-word;">com.mobcoder.govcth</td><td style="word-wrap: break-word;">cmf0.c3b5bm90zq.patch</td><td>*Trojan</td></tr><tr><td>Columbia</td><td style="word-wrap: break-word;">co.gov.ins.guardianes</td><td style="word-wrap: break-word;">qmkeasedjeumxmgb.czmofiuouafiuwtmwonw.eeepqsunrbflk</td><td>*Trojan</td></tr><tr><td>Indonesia</td><td style="word-wrap: break-word;">com.telkom.tracencare</td><td style="word-wrap: break-word;">cmf0.c3b5bm90zq.patch</td><td>Spynote</td></tr><tr><td>Iran</td><td style="word-wrap: break-word;">ir.covidapp.android</td><td style="word-wrap: break-word;">co.health.covid</td><td>*Trojan</td></tr><tr><td>Italy (impersonating INPS)</td><td style="word-wrap: break-word;">certificati.farma.droid</td><td style="word-wrap: break-word;">ynhsumknjtd.hphsefyntauykl.hauqklysedjjnukso</td><td>*Trojan</td></tr><tr><td>Kyrgyzstan</td><td style="word-wrap: break-word;">kg.cdt.stopcovid19</td><td style="word-wrap: break-word;">kg.cdt.stopcovid19</td><td>*Adware</td></tr><tr><td>Russia - EMERCOM</td><td style="word-wrap: break-word;">com.minsvyaz.gosuslugi.stopcorona</td><td style="word-wrap: break-word;">anubis.bot.myapplication</td><td>Anubis</td></tr><tr><td>Singapore</td><td style="word-wrap: break-word;">sg.gov.tech.bluetrace</td><td style="word-wrap: break-word;">iiyyxasgfmaeph.jyefwosxdajh.ubempzgulrqdkcmjaplqrxeq</td><td>*Trojan</td></tr><tr><td>Singapore</td><td style="word-wrap: break-word;">sg.gov.tech.bluetrace</td><td style="word-wrap: break-word;">zfhxmtepnxyljw.wqnszljeb.bkolzgalth</td><td>*Trojan</td></tr></tbody></table><p>*Unnamed or generic malware</p><h2>Technical Analysis</h2><h3>Anubis</h3><p>Anubis is an Android banking trojan that utilizes overlays to access infected devices and steal user credentials. The malware has been reportedly available since at least 2017 and disguises itself as legitimate applications such as fake software updates. Custom injects are used by threat actors to make the victim believe they are viewing their banking application whilean overlay controlled by the actor and placed on top of the application is used to steal sensitive information.</p><p>Primary functionalities:</p><ul><li>Access to SMS messages, location, contact list, system information</li><li>Custom injections to a wide range of banking and social media applications, to harvest sensitive information</li><li>Hides itself from App drawer as launched</li><li>Keylogging</li><li>Permissions</li><li>Record phone calls</li><li>Steals data</li><li>Use of overlays to steal credentials</li></ul><h4>Brazil</h4><p>Legitimate application - Coronavírus - SUS<br /> Malicious application - Coronavírus - SUS<br /> Malicious package - wocwvy.czyxoxmbauu.slsa<br /> Sample - ec70b3f8db8a66d353cc69704b4d7141</p><p>Anomali Threat Research has found a malicious application hosted on a website btc-chenger[.]xyz that impersonates the Brazilian government’s official COVID tracing app. The malicious application imitates the legitimate application as a lure for victims to download the Anubis malware. When the app is first started on the device it will ask for the accessibility service privilege as shown in the figure 2. Once the user enables the permissions the app will run in the background and hides the icon from the application drawer.</p><p style="text-align: center;"><em><img alt="Icon as it Appears on Android Device" src="https://wwwlegacy.anomali.com/images/uploads/blog/andoird-app-icon.png" /><br /> Figure 1 - Icon as it Appears on Android Device</em></p><p style="text-align: center;"><em><img alt="Malicious app requests Accessibility permissions" src="https://wwwlegacy.anomali.com/images/uploads/blog/Malicious-app-requests-Accessibility.png" style="width: 400px;" /><br /> Figure 2 - Malicious app requests Accessibility permissions</em></p><p style="text-align: center;"><em><img alt="List of Permissions Granted by Anubis" src="https://wwwlegacy.anomali.com/images/uploads/blog/Permissions-Granted-by-Anubis.png" /><br /> Figure 3 - List of Permissions Granted by Anubis</em></p><p style="text-align: center;"><em><img alt="Anubis SMS-Stealing Abilities" src="https://wwwlegacy.anomali.com/images/uploads/blog/Anubis-SMS-Stealing-Abilities.png" /><br /> Figure 4 - Anubis SMS-Stealing Abilities</em></p><p style="text-align: center;"><em><img alt="Anubis Accessing Users’ Contacts" src="https://wwwlegacy.anomali.com/images/uploads/blog/Anubis-Accessing-Contacts.png" /><br /> Figure 5 - Anubis Accessing Users’ Contacts</em></p><h3>SpyNote</h3><p>SpyNote is an Android trojan with the primary objective of gathering and monitoring data on infected devices. The trojan was first identified by Palo Alto Unit 42 researchers in December 2016.^[2] SpyNote is based off of leaked source code from malware forums and functions similarly to the Remote Access Trojans (RATs) DroidJack and OmniRat.^[3]​</p><p>Primary Functionalities:</p><ul><li>Access SMS, GPS Location, Contacts</li><li>Call From Victims Number</li><li>Capture Photos From Camera</li><li>Check Browser History</li><li>Check Installed Apps</li><li>Device Information</li><li>Exfiltrate Files </li><li>Installed Application</li><li>Read Or Write Messages</li><li>Read Or Write The Contacts List</li><li>Record Calls</li></ul><h4>Indonesia </h4><p>Legitimate application - PeduliLindungi<br /> Malicious application -  PeduliLindungi<br /> Malicious package - cmf0.c3b5bm90zq.patch<br /> Sample - 0bc3d828e7ab270a8baab7a32633de0d</p><p style="text-align: center;"><em><img alt="App Icon in App Drawer" src="https://wwwlegacy.anomali.com/images/uploads/blog/App-Icon-in-App-Drawer.png" /><br /> Figure 6 - App Icon in App Drawer</em></p><p>PeduliLindungi is an Indonesian COVID-19 tracing application created by the Republic of Indonesia Ministry of Communication and Information Technology.^[4] Anomali Threat Research  found an application impersonating PeduliLindungi, also called PeduliLindungi, that contains the SpyNote malware. The malicious application contains the legitimate app inside itself under the “/raw/” folder. When the malicious app is run, the legitimate application is installed on the device, with the malicious app hiding from the app drawer.</p><p style="text-align: center;"><em><img alt="Code showing install command, used to install the legitimate APK" src="https://wwwlegacy.anomali.com/images/uploads/blog/Code-showing-install-command.png" /><br /> Figure 7 - Code showing install command, used to install the legitimate APK.</em></p><p style="text-align: center;"><em><img alt="The legitimate app, stored inside ‘res/raw’" src="https://wwwlegacy.anomali.com/images/uploads/blog/legitimate-app.png" />Figure 8 - The legitimate app, stored inside ‘res/raw’</em></p><h2>Conclusion</h2><p>The potential security and privacy-related risk of malicious COVID-19 apps is evident in Anomali Threat Research and other security researchers&#39; findings. Threat actors continue to imitate official apps to take advantage of the brand recognition and perceived trust of those released by government agencies. The global impact of the COVID-19 pandemic makes the virus a recognizable and potentially fear-inducing name, of which actors will continue to abuse. This research reveals  a glimpse into some of the applications threat actors are actively distributing, and there are likely numerous others in the wild that have not yet been detected.</p><h2>IOCs</h2><p>c448ae9ad80f088e9296f08a114605e2<br /> 66b3529f7589cac62960bfacc9dbc5f4<br /> 0ba9d47e0d9fa0b6db4f397a34f7efab<br /> 1d94952245f517602227938a26c498006143d7b8a92dd259f595715255b99ade<br /> 885d07d1532dcce08ae8e0751793ec30ed0152eee3c1321e2d051b2f0e3fa3d7<br /> 41bb86666543349bbf82e157b4d69a893f9b9c0fd37a8dce59048d8e000af3d6<br /> add9a29ee75b55ec8d6d7ee4f5119084edbeb3db04cbcce0af30c28758182296<br /> 8b8dfb8fa7c313d9d7c1b1a67646abdb54d8cfd18773b136a10f191ca27098fc<br /> d7fc4377b7a765d6bc3901d0de01008095965d02062fda3707957163afe8884d<br /> a03fe22f32b683a34c452a74fbc8e78f5f33132332149fe726945397c37d37a6<br /> e6786770a2a81ce798178f4eef4ae2290dfb1977ba5ced8cdbd01ddca3fadd17<br /> a76bb2e56079dca73d759cdae9857cd5626c200785f004e492f60ce52784f745<br /> cafc2a8e3dc818de9bb5b0eff1a9983426e5db9cc8c0d42905cefeb99b442099<br /> a891a9f77671623f6c397a03bc9ec7effc362a56e6f2ebb22967eeb6e4e9a14d<br /> a9eaea748420a5f832a208b35be7107b5fef389a844c0659688466d3a8fd3eb6<br /> 090b5fb792b62225df6ca55fac2d96b630d596a61b7071009e0084056d04240a<br /> be2a9bbdb89e48b5eadc52830d6f92dc4355adc2bc95d5ac5d6748fee68acf1c</p><h2>Endnotes</h2><p>^[1] “A Deep Dive Into SpyNote 6.5 Android RAT,” 70ry, accessed June 3, 2020, published February 13, 2020, https://70ry.tistory.com/412; Amrita Nayak Dutta, “Pakistani operatives create fake Arogya Setu app to ‘steal info’ from Indian defence forces,” <em>ThePrint</em>, accessed June 3, 2020, published April 27, 2020, https://theprint.in/defence/fears-rise-that-pakistan-based-intel-operatives-could-misuse-aarogya-setu-app/409798/; “FAKE AAROGYA SETU ANDROID APPS HARBOR SPYWARE CAPABILITIES,” <em>Security News</em> - SonicWall, accessed June 3, 2020, published May 20, 2020, https://securitynews.sonicwall.com/xmlpost/fake-aarogya-setu-android-apps-harbor-spyware-capabilities/.</p><p>^[2] Jacob Soo, “SpyNote Android Trojan Builder Leaked,” Unit 42 Palo Alto Networks, accessed June 3, 2020, published July 28, 2016, https://unit42.paloaltonetworks.com/unit42-spynote-android-trojan-builder-leaked/.</p><p>^[3] Ibid.</p><p>^[4] “PeduliLindungi,” Google Play, accessed June 3, 2020, https://play.google.com/store/apps/details?id=com.telkom.tracencare.</p><h2>Appendix</h2><p><strong>App name - com.android.tester</strong><br /> Country - India</p><p style="text-align: center;"><em><img alt="Language selector from malicious Arrogya Setu App" src="https://wwwlegacy.anomali.com/images/uploads/blog/Language-selector-Arrogya.png" style="width: 400px;" /><br /> Figure 9 - Language selector from malicious Arrogya Setu App</em></p><p style="text-align: center;"><em><img alt="Arrogya Setu App Home Page" src="https://wwwlegacy.anomali.com/images/uploads/blog/Arrogya-Home.png" style="width: 400px;" /> <img alt="Arrogya Setu App Home Page" src="https://wwwlegacy.anomali.com/images/uploads/blog/Arrogya-Home2.png" style="width: 400px;" /><br /> Figure 10 - Arrogya Setu App Home Page</em></p><p style="text-align: center;"><em><img alt="Registration Page for Arrogya Setu App" src="https://wwwlegacy.anomali.com/images/uploads/blog/Registration-Page-for-Arrogya.png" style="width: 400px;" /><br /> Figure 10 - Registration Page for Arrogya Setu App</em></p><p><strong>App Name - kg.cdt.stopcovid19</strong><br /> Country - Kyrgyzstan</p><p style="text-align: center;"><em><img alt="Sign Up Page from Kyrgyzstani app" src="https://wwwlegacy.anomali.com/images/uploads/blog/Sign-Up-Page-from-Kyrgyzstani-app.png" style="width: 400px;" /><br /> Figure 11 - Sign Up Page from Kyrgyzstani app</em></p><p><strong>App name - am.ac19.health</strong><br /> Country - Armenia</p><p style="text-align: center;"><em><img alt="Home screen of malicious Armenian app" src="https://wwwlegacy.anomali.com/images/uploads/blog/Home-screen-malicious-Armenian-app.png" style="width: 400px;" /><br /> Figure 12 - Home screen of malicious Armenian app</em></p><p><strong>App Name - co.health.covid</strong><br /> Country - Iran</p><p style="text-align: center;"><em><img alt="Home Screen of Malicious Iranian App" src="https://wwwlegacy.anomali.com/images/uploads/blog/Home-Screen-Malicious-Iranian-App.png" style="width: 400px;" /><br /> Figure 13 - Home Screen of Malicious Iranian App</em></p>