Authored by: Tara Gould, Gage Mele, Parthiban Rajendran, and Rory Gould
Overview
Threat actors are distributing fake Android applications themed around official government COVID-19 contact tracing apps. Anomali Threat Research (ATR) identified multiple applications that contain malware, primarily Anubis and SpyNote, and other generic malware families. These apps, once installed on a device, are designed to download and install malware to monitor infected devices, and to steal banking credentials and personal data. The wider security community continues to monitor ongoing malicious activity themed around COVID-19.[1] ATR believes that the fake apps are likely being distributed through other apps, third-party stores, and websites, among others. As of the publication of this research, the fake apps had not been identified as being present in the Google Play Store.
Anomali Threat Research identified 12 malicious applications that appear to be targeting citizens of multiple countries. This activity consists of separate incidents of malicious activity themed around COVID-19 and should not be viewed as a coordinated campaign. Multiple countries were found to have malicious activity themed directly after government and/or malicious COVID-19-themed applications. Anomali Threat Research findings are shown below in Table 1.
Table 1 - Malicious Applications
| Government Tracing App | Official Package Name | Malicious Package Name | Detection Name |
|---|---|---|---|
| Armenia | am.gov.covid19 | am.ac19.health | *Trojan |
| Arrogyasetu (India) | nic.goi.aarogyasetu | com.android.tester | Spynote |
| Brazil | br.gov.datasus.guardioes | wocwvy.czyxoxmbauu.slsa | Anubis |
| Chhattisgarh | com.mobcoder.govcth | cmf0.c3b5bm90zq.patch | *Trojan |
| Columbia | co.gov.ins.guardianes | qmkeasedjeumxmgb.czmofiuouafiuwtmwonw.eeepqsunrbflk | *Trojan |
| Indonesia | com.telkom.tracencare | cmf0.c3b5bm90zq.patch | Spynote |
| Iran | ir.covidapp.android | co.health.covid | *Trojan |
| Italy (impersonating INPS) | certificati.farma.droid | ynhsumknjtd.hphsefyntauykl.hauqklysedjjnukso | *Trojan |
| Kyrgyzstan | kg.cdt.stopcovid19 | kg.cdt.stopcovid19 | *Adware |
| Russia - EMERCOM | com.minsvyaz.gosuslugi.stopcorona | anubis.bot.myapplication | Anubis |
| Singapore | sg.gov.tech.bluetrace | iiyyxasgfmaeph.jyefwosxdajh.ubempzgulrqdkcmjaplqrxeq | *Trojan |
| Singapore | sg.gov.tech.bluetrace | zfhxmtepnxyljw.wqnszljeb.bkolzgalth | *Trojan |
*Unnamed or generic malware
Technical Analysis
Anubis
Anubis is an Android banking trojan that utilizes overlays to access infected devices and steal user credentials. The malware has been reportedly available since at least 2017 and disguises itself as legitimate applications such as fake software updates. Custom injects are used by threat actors to make the victim believe they are viewing their banking application whilean overlay controlled by the actor and placed on top of the application is used to steal sensitive information.
Primary functionalities:
- Access to SMS messages, location, contact list, system information
- Custom injections to a wide range of banking and social media applications, to harvest sensitive information
- Hides itself from App drawer as launched
- Keylogging
- Permissions
- Record phone calls
- Steals data
- Use of overlays to steal credentials
Brazil
Legitimate application - Coronavírus - SUS
Malicious application - Coronavírus - SUS
Malicious package - wocwvy.czyxoxmbauu.slsa
Sample - ec70b3f8db8a66d353cc69704b4d7141
Anomali Threat Research has found a malicious application hosted on a website btc-chenger[.]xyz that impersonates the Brazilian government’s official COVID tracing app. The malicious application imitates the legitimate application as a lure for victims to download the Anubis malware. When the app is first started on the device it will ask for the accessibility service privilege as shown in the figure 2. Once the user enables the permissions the app will run in the background and hides the icon from the application drawer.
Figure 1 - Icon as it Appears on Android Device
Figure 2 - Malicious app requests Accessibility permissions
Figure 3 - List of Permissions Granted by Anubis
Figure 4 - Anubis SMS-Stealing Abilities
Figure 5 - Anubis Accessing Users’ Contacts
SpyNote
SpyNote is an Android trojan with the primary objective of gathering and monitoring data on infected devices. The trojan was first identified by Palo Alto Unit 42 researchers in December 2016.[2] SpyNote is based off of leaked source code from malware forums and functions similarly to the Remote Access Trojans (RATs) DroidJack and OmniRat.[3]
Primary Functionalities:
- Access SMS, GPS Location, Contacts
- Call From Victims Number
- Capture Photos From Camera
- Check Browser History
- Check Installed Apps
- Device Information
- Exfiltrate Files
- Installed Application
- Read Or Write Messages
- Read Or Write The Contacts List
- Record Calls
Indonesia
Legitimate application - PeduliLindungi
Malicious application - PeduliLindungi
Malicious package - cmf0.c3b5bm90zq.patch
Sample - 0bc3d828e7ab270a8baab7a32633de0d
Figure 6 - App Icon in App Drawer
PeduliLindungi is an Indonesian COVID-19 tracing application created by the Republic of Indonesia Ministry of Communication and Information Technology.[4] Anomali Threat Research found an application impersonating PeduliLindungi, also called PeduliLindungi, that contains the SpyNote malware. The malicious application contains the legitimate app inside itself under the “/raw/” folder. When the malicious app is run, the legitimate application is installed on the device, with the malicious app hiding from the app drawer.
Figure 7 - Code showing install command, used to install the legitimate APK.
Figure 8 - The legitimate app, stored inside ‘res/raw’
Conclusion
The potential security and privacy-related risk of malicious COVID-19 apps is evident in Anomali Threat Research and other security researchers' findings. Threat actors continue to imitate official apps to take advantage of the brand recognition and perceived trust of those released by government agencies. The global impact of the COVID-19 pandemic makes the virus a recognizable and potentially fear-inducing name, of which actors will continue to abuse. This research reveals a glimpse into some of the applications threat actors are actively distributing, and there are likely numerous others in the wild that have not yet been detected.
IOCs
c448ae9ad80f088e9296f08a114605e2
66b3529f7589cac62960bfacc9dbc5f4
0ba9d47e0d9fa0b6db4f397a34f7efab
1d94952245f517602227938a26c498006143d7b8a92dd259f595715255b99ade
885d07d1532dcce08ae8e0751793ec30ed0152eee3c1321e2d051b2f0e3fa3d7
41bb86666543349bbf82e157b4d69a893f9b9c0fd37a8dce59048d8e000af3d6
add9a29ee75b55ec8d6d7ee4f5119084edbeb3db04cbcce0af30c28758182296
8b8dfb8fa7c313d9d7c1b1a67646abdb54d8cfd18773b136a10f191ca27098fc
d7fc4377b7a765d6bc3901d0de01008095965d02062fda3707957163afe8884d
a03fe22f32b683a34c452a74fbc8e78f5f33132332149fe726945397c37d37a6
e6786770a2a81ce798178f4eef4ae2290dfb1977ba5ced8cdbd01ddca3fadd17
a76bb2e56079dca73d759cdae9857cd5626c200785f004e492f60ce52784f745
cafc2a8e3dc818de9bb5b0eff1a9983426e5db9cc8c0d42905cefeb99b442099
a891a9f77671623f6c397a03bc9ec7effc362a56e6f2ebb22967eeb6e4e9a14d
a9eaea748420a5f832a208b35be7107b5fef389a844c0659688466d3a8fd3eb6
090b5fb792b62225df6ca55fac2d96b630d596a61b7071009e0084056d04240a
be2a9bbdb89e48b5eadc52830d6f92dc4355adc2bc95d5ac5d6748fee68acf1c
Endnotes
[1] “A Deep Dive Into SpyNote 6.5 Android RAT,” 70ry, accessed June 3, 2020, published February 13, 2020, https://70ry.tistory.com/412; Amrita Nayak Dutta, “Pakistani operatives create fake Arogya Setu app to ‘steal info’ from Indian defence forces,” ThePrint, accessed June 3, 2020, published April 27, 2020, https://theprint.in/defence/fears-rise-that-pakistan-based-intel-operatives-could-misuse-aarogya-setu-app/409798/; “FAKE AAROGYA SETU ANDROID APPS HARBOR SPYWARE CAPABILITIES,” Security News - SonicWall, accessed June 3, 2020, published May 20, 2020, https://securitynews.sonicwall.com/xmlpost/fake-aarogya-setu-android-apps-harbor-spyware-capabilities/.
[2] Jacob Soo, “SpyNote Android Trojan Builder Leaked,” Unit 42 Palo Alto Networks, accessed June 3, 2020, published July 28, 2016, https://unit42.paloaltonetworks.com/unit42-spynote-android-trojan-builder-leaked/.
[3] Ibid.
[4] “PeduliLindungi,” Google Play, accessed June 3, 2020, https://play.google.com/store/apps/details?id=com.telkom.tracencare.
Appendix
App name - com.android.tester
Country - India
Figure 9 - Language selector from malicious Arrogya Setu App
Figure 10 - Arrogya Setu App Home Page
Figure 10 - Registration Page for Arrogya Setu App
App Name - kg.cdt.stopcovid19
Country - Kyrgyzstan
Figure 11 - Sign Up Page from Kyrgyzstani app
App name - am.ac19.health
Country - Armenia
Figure 12 - Home screen of malicious Armenian app
App Name - co.health.covid
Country - Iran
Figure 13 - Home Screen of Malicious Iranian App
Topics:
Research
