Anomali Threat Research Identifies Fake COVID-19 Contact Tracing Apps Used to Download Malware that Monitors Devices, Steals Personal Data | Anomali

Authored by: Tara Gould, Gage Mele, Parthiban Rajendran, and Rory Gould


Threat actors are distributing fake Android applications themed around official government COVID-19 contact tracing apps. Anomali Threat Research (ATR) identified multiple applications that contain malware, primarily Anubis and SpyNote, and other generic malware families. These apps, once installed on a device, are designed to download and install malware to monitor infected devices, and to steal banking credentials and personal data. The wider security community continues to monitor ongoing malicious activity themed around COVID-19.[1] ATR believes that the fake apps are likely being distributed through other apps, third-party stores, and websites, among others. As of the publication of this research, the fake apps had not been identified as being present in the Google Play Store.

Anomali Threat Research identified 12 malicious applications that appear to be targeting citizens of multiple countries. This activity consists of separate incidents of malicious activity themed around COVID-19 and should not be viewed as a coordinated campaign. Multiple countries were found to have malicious activity themed directly after government and/or malicious COVID-19-themed applications. Anomali Threat Research findings are shown below in Table 1.

Table 1 - Malicious Applications

Government Tracing AppOfficial Package NameMalicious Package NameDetection Name*Trojan
Arrogyasetu (India)
Italy (impersonating INPS)certificati.farma.droidynhsumknjtd.hphsefyntauykl.hauqklysedjjnukso*Trojan
Russia -*Trojan*Trojan

*Unnamed or generic malware

Technical Analysis


Anubis is an Android banking trojan that utilizes overlays to access infected devices and steal user credentials. The malware has been reportedly available since at least 2017 and disguises itself as legitimate applications such as fake software updates. Custom injects are used by threat actors to make the victim believe they are viewing their banking application whilean overlay controlled by the actor and placed on top of the application is used to steal sensitive information.

Primary functionalities:

  • Access to SMS messages, location, contact list, system information
  • Custom injections to a wide range of banking and social media applications, to harvest sensitive information
  • Hides itself from App drawer as launched
  • Keylogging
  • Permissions
  • Record phone calls
  • Steals data
  • Use of overlays to steal credentials


Legitimate application - Coronavírus - SUS
Malicious application - Coronavírus - SUS
Malicious package - wocwvy.czyxoxmbauu.slsa
Sample - ec70b3f8db8a66d353cc69704b4d7141

Anomali Threat Research has found a malicious application hosted on a website btc-chenger[.]xyz that impersonates the Brazilian government’s official COVID tracing app. The malicious application imitates the legitimate application as a lure for victims to download the Anubis malware. When the app is first started on the device it will ask for the accessibility service privilege as shown in the figure 2. Once the user enables the permissions the app will run in the background and hides the icon from the application drawer.

Icon as it Appears on Android Device
Figure 1 - Icon as it Appears on Android Device

Malicious app requests Accessibility permissions
Figure 2 - Malicious app requests Accessibility permissions

List of Permissions Granted by Anubis
Figure 3 - List of Permissions Granted by Anubis

Anubis SMS-Stealing Abilities
Figure 4 - Anubis SMS-Stealing Abilities

Anubis Accessing Users’ Contacts
Figure 5 - Anubis Accessing Users’ Contacts


SpyNote is an Android trojan with the primary objective of gathering and monitoring data on infected devices. The trojan was first identified by Palo Alto Unit 42 researchers in December 2016.[2] SpyNote is based off of leaked source code from malware forums and functions similarly to the Remote Access Trojans (RATs) DroidJack and OmniRat.[3]​

Primary Functionalities:

  • Access SMS, GPS Location, Contacts
  • Call From Victims Number
  • Capture Photos From Camera
  • Check Browser History
  • Check Installed Apps
  • Device Information
  • Exfiltrate Files 
  • Installed Application
  • Read Or Write Messages
  • Read Or Write The Contacts List
  • Record Calls


Legitimate application - PeduliLindungi
Malicious application -  PeduliLindungi
Malicious package - cmf0.c3b5bm90zq.patch
Sample - 0bc3d828e7ab270a8baab7a32633de0d

App Icon in App Drawer
Figure 6 - App Icon in App Drawer

PeduliLindungi is an Indonesian COVID-19 tracing application created by the Republic of Indonesia Ministry of Communication and Information Technology.[4] Anomali Threat Research  found an application impersonating PeduliLindungi, also called PeduliLindungi, that contains the SpyNote malware. The malicious application contains the legitimate app inside itself under the “/raw/” folder. When the malicious app is run, the legitimate application is installed on the device, with the malicious app hiding from the app drawer.

Code showing install command, used to install the legitimate APK
Figure 7 - Code showing install command, used to install the legitimate APK.

The legitimate app, stored inside ‘res/raw’Figure 8 - The legitimate app, stored inside ‘res/raw’


The potential security and privacy-related risk of malicious COVID-19 apps is evident in Anomali Threat Research and other security researchers' findings. Threat actors continue to imitate official apps to take advantage of the brand recognition and perceived trust of those released by government agencies. The global impact of the COVID-19 pandemic makes the virus a recognizable and potentially fear-inducing name, of which actors will continue to abuse. This research reveals  a glimpse into some of the applications threat actors are actively distributing, and there are likely numerous others in the wild that have not yet been detected.




[1] “A Deep Dive Into SpyNote 6.5 Android RAT,” 70ry, accessed June 3, 2020, published February 13, 2020,; Amrita Nayak Dutta, “Pakistani operatives create fake Arogya Setu app to ‘steal info’ from Indian defence forces,” ThePrint, accessed June 3, 2020, published April 27, 2020,; “FAKE AAROGYA SETU ANDROID APPS HARBOR SPYWARE CAPABILITIES,” Security News - SonicWall, accessed June 3, 2020, published May 20, 2020,

[2] Jacob Soo, “SpyNote Android Trojan Builder Leaked,” Unit 42 Palo Alto Networks, accessed June 3, 2020, published July 28, 2016,

[3] Ibid.

[4] “PeduliLindungi,” Google Play, accessed June 3, 2020,


App name -
Country - India

Language selector from malicious Arrogya Setu App
Figure 9 - Language selector from malicious Arrogya Setu App

Arrogya Setu App Home Page Arrogya Setu App Home Page
Figure 10 - Arrogya Setu App Home Page

Registration Page for Arrogya Setu App
Figure 10 - Registration Page for Arrogya Setu App

App Name - kg.cdt.stopcovid19
Country - Kyrgyzstan

Sign Up Page from Kyrgyzstani app
Figure 11 - Sign Up Page from Kyrgyzstani app

App name -
Country - Armenia

Home screen of malicious Armenian app
Figure 12 - Home screen of malicious Armenian app

App Name -
Country - Iran

Home Screen of Malicious Iranian App
Figure 13 - Home Screen of Malicious Iranian App



Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.