Authored by: Tara Gould, Gage Mele, Parthiban Rajendran, and Rory Gould
Threat actors are distributing fake Android applications themed around official government COVID-19 contact tracing apps. Anomali Threat Research (ATR) identified multiple applications that contain malware, primarily Anubis and SpyNote, and other generic malware families. These apps, once installed on a device, are designed to download and install malware to monitor infected devices, and to steal banking credentials and personal data. The wider security community continues to monitor ongoing malicious activity themed around COVID-19. ATR believes that the fake apps are likely being distributed through other apps, third-party stores, and websites, among others. As of the publication of this research, the fake apps had not been identified as being present in the Google Play Store.
Anomali Threat Research identified 12 malicious applications that appear to be targeting citizens of multiple countries. This activity consists of separate incidents of malicious activity themed around COVID-19 and should not be viewed as a coordinated campaign. Multiple countries were found to have malicious activity themed directly after government and/or malicious COVID-19-themed applications. Anomali Threat Research findings are shown below in Table 1.
Table 1 - Malicious Applications
|Government Tracing App||Official Package Name||Malicious Package Name||Detection Name|
|Italy (impersonating INPS)||certificati.farma.droid||ynhsumknjtd.hphsefyntauykl.hauqklysedjjnukso||*Trojan|
|Russia - EMERCOM||com.minsvyaz.gosuslugi.stopcorona||anubis.bot.myapplication||Anubis|
*Unnamed or generic malware
Anubis is an Android banking trojan that utilizes overlays to access infected devices and steal user credentials. The malware has been reportedly available since at least 2017 and disguises itself as legitimate applications such as fake software updates. Custom injects are used by threat actors to make the victim believe they are viewing their banking application whilean overlay controlled by the actor and placed on top of the application is used to steal sensitive information.
- Access to SMS messages, location, contact list, system information
- Custom injections to a wide range of banking and social media applications, to harvest sensitive information
- Hides itself from App drawer as launched
- Record phone calls
- Steals data
- Use of overlays to steal credentials
Legitimate application - Coronavírus - SUS
Malicious application - Coronavírus - SUS
Malicious package - wocwvy.czyxoxmbauu.slsa
Sample - ec70b3f8db8a66d353cc69704b4d7141
Anomali Threat Research has found a malicious application hosted on a website btc-chenger[.]xyz that impersonates the Brazilian government’s official COVID tracing app. The malicious application imitates the legitimate application as a lure for victims to download the Anubis malware. When the app is first started on the device it will ask for the accessibility service privilege as shown in the figure 2. Once the user enables the permissions the app will run in the background and hides the icon from the application drawer.
Figure 1 - Icon as it Appears on Android Device
Figure 2 - Malicious app requests Accessibility permissions
Figure 3 - List of Permissions Granted by Anubis
Figure 4 - Anubis SMS-Stealing Abilities
Figure 5 - Anubis Accessing Users’ Contacts
SpyNote is an Android trojan with the primary objective of gathering and monitoring data on infected devices. The trojan was first identified by Palo Alto Unit 42 researchers in December 2016. SpyNote is based off of leaked source code from malware forums and functions similarly to the Remote Access Trojans (RATs) DroidJack and OmniRat.
- Access SMS, GPS Location, Contacts
- Call From Victims Number
- Capture Photos From Camera
- Check Browser History
- Check Installed Apps
- Device Information
- Exfiltrate Files
- Installed Application
- Read Or Write Messages
- Read Or Write The Contacts List
- Record Calls
Legitimate application - PeduliLindungi
Malicious application - PeduliLindungi
Malicious package - cmf0.c3b5bm90zq.patch
Sample - 0bc3d828e7ab270a8baab7a32633de0d
Figure 6 - App Icon in App Drawer
PeduliLindungi is an Indonesian COVID-19 tracing application created by the Republic of Indonesia Ministry of Communication and Information Technology. Anomali Threat Research found an application impersonating PeduliLindungi, also called PeduliLindungi, that contains the SpyNote malware. The malicious application contains the legitimate app inside itself under the “/raw/” folder. When the malicious app is run, the legitimate application is installed on the device, with the malicious app hiding from the app drawer.
Figure 7 - Code showing install command, used to install the legitimate APK.
Figure 8 - The legitimate app, stored inside ‘res/raw’
The potential security and privacy-related risk of malicious COVID-19 apps is evident in Anomali Threat Research and other security researchers' findings. Threat actors continue to imitate official apps to take advantage of the brand recognition and perceived trust of those released by government agencies. The global impact of the COVID-19 pandemic makes the virus a recognizable and potentially fear-inducing name, of which actors will continue to abuse. This research reveals a glimpse into some of the applications threat actors are actively distributing, and there are likely numerous others in the wild that have not yet been detected.
 “A Deep Dive Into SpyNote 6.5 Android RAT,” 70ry, accessed June 3, 2020, published February 13, 2020, https://70ry.tistory.com/412; Amrita Nayak Dutta, “Pakistani operatives create fake Arogya Setu app to ‘steal info’ from Indian defence forces,” ThePrint, accessed June 3, 2020, published April 27, 2020, https://theprint.in/defence/fears-rise-that-pakistan-based-intel-operatives-could-misuse-aarogya-setu-app/409798/; “FAKE AAROGYA SETU ANDROID APPS HARBOR SPYWARE CAPABILITIES,” Security News - SonicWall, accessed June 3, 2020, published May 20, 2020, https://securitynews.sonicwall.com/xmlpost/fake-aarogya-setu-android-apps-harbor-spyware-capabilities/.
 Jacob Soo, “SpyNote Android Trojan Builder Leaked,” Unit 42 Palo Alto Networks, accessed June 3, 2020, published July 28, 2016, https://unit42.paloaltonetworks.com/unit42-spynote-android-trojan-builder-leaked/.
 “PeduliLindungi,” Google Play, accessed June 3, 2020, https://play.google.com/store/apps/details?id=com.telkom.tracencare.
App name - com.android.tester
Country - India
Figure 9 - Language selector from malicious Arrogya Setu App
Figure 10 - Arrogya Setu App Home Page
Figure 10 - Registration Page for Arrogya Setu App
App Name - kg.cdt.stopcovid19
Country - Kyrgyzstan
Figure 11 - Sign Up Page from Kyrgyzstani app
App name - am.ac19.health
Country - Armenia
Figure 12 - Home screen of malicious Armenian app
App Name - co.health.covid
Country - Iran
Figure 13 - Home Screen of Malicious Iranian App