As the COVID-19 pandemic spreads around the globe, governments are banding together to track the rate of infection. Unfortunately, hackers are keen to exploit the fear and confusion to spread malware via fake contact-tracing apps.
Let's look at how a hacker can use the coronavirus panic to deliver malware onto people's phones.
What Is a Contact-Tracing App?
With the coronavirus making a huge impact across the globe, it's important to know how the virus spreads amongst communities. Due to COVID-19's ability to stay low on the radar, people can spread it without realizing that they are. As such, it's crucial to inform potential victims that they may be infected before they spread it further.
To achieve this, governments around the world are investing in a contact-tracing app (like the UK's NHS COVID-19 app). This app harnesses the internet to deliver lightning-fast reports to prevent further infections. As soon as an infection risk becomes apparent, everyone that's affected can be notified instantly, thus reducing the spread.
A contact-tracing app achieves this by keeping tabs on who you were near. It does this by sending out a small Bluetooth signal and listens out for signals from other phones. Once your phone finds someone else's, both phones log that you two were near one another.
Then, should someone come down with COVID-19, their app is informed of this. The app goes through the list of phones it came close to and warns them about a potential COVID-19 infection. Recipients of this message can then self-isolate to stop the spread.
The Problem That Contact-Tracing Apps Face
The theory behind contact-tracing apps is sound; if implemented correctly, they can help people self-isolate and prevent further infections.
Unfortunately, the implementation of the app is the tricky part. The app needs to log every phone it comes close to, then warns them all when a positive diagnosis occurs. Not only that, but a lot of people need to download the app for it to be effective.
As such, countries around the world are hard at work at developing, testing, and deploying this app. This creates a lot of anxiety amongst people who are keen to download the app so they can stay safe. This delay then opens the door for scammers, who can create fake apps to prey on the fear of others.
How the Fake Contact-Tracer Attack Works
The fake contact-tracer app attack has two stages to it. The first is tricking people into thinking that the hacker's app is the real deal. The second is delivering a payload once the fake app tricks the user into downloading it.
Setting the Stage for a Contact-Tracing Scam
To start a contact-tracer app attack, a hacker will target a country to base their fake app on. Ideally, it's a country that is either working on an app or already has one. This ensures their targets know about, and want to download, a contact-tracing app.
Once the attacker selects their target country, they get to work on creating a fake website. They can't upload it to Google Play, as it runs the risk of detection from Google's defenses.
That's not to say that Google Play is free of threats; after all, it has been home to cryptojackers in the past. However, it's a safer option for the hacker to host it themselves and avoid detection.
The hacker designs the fake website to look like an official governmental webpage. They'll take assets from the real website and re-create it on their fake website to help enhance the illusion.
They will then register a domain name that looks official so people don't get suspicious. This includes URLs that look similar to the real deal or replacing letters with look-alike alternatives to fool someone who doesn't check the address.
Delivering the Payload to Complete the Scam
Now that the hacker has set the stage, it's time to design the payload that the visitors download. From here, the hacker has two options for their malware. They can design it to hide away and harvest data, or go in guns blazing and make demands from the victim.
If the hacker chooses the first option, they'll create an app that looks like the real thing. Anomali Threat Research identified fake coronavirus tracing apps paired with banking Trojans. These Trojans carried the most infamous mobile malware strains available, such as Anubis.
This method is harder to develop, as the hacker needs to create an app that looks like the real thing. Sometimes they may use the legitimate contract-tracer app's code and add a hidden payload to it.
Once the user downloads and installs it, the malware can hide without the user's knowledge and collect data. If the app is particularly convincing, the victim may share the malicious app with friends and family, thus spreading the net even further.
Alternatively, the hacker can choose the destructive route. This includes using malware that's noticeable, such as ransomware. After all, the entire premise of ransomware is that you notice it!
ESET discovered a strain in the wild that took this route. It appeared in Canada after the government announced the development of an official app. This contained the CryCryptor malware that locked away important files and demanded payment.
While this method of attack sets off alarm bells, it's the easiest to distribute between the two. As such, hackers use it for a quick payout instead of a long con like banking malware.
How to Avoid a Fake COVID-19 Tracer Scam
To avoid this scam, keep tabs on how your government's contact-tracing app is progressing. Check reliable news sources and visit your government's website for updates.
If your country already has a contract-tracing app, download it from official sources only. If you search Google Play for the app, be sure you're getting the real deal instead of downloading a phony. Look at the number of reviews as well as the rating to find the real app.
When you install a contact-tracing app, be sure to double-check the permissions that it asks for. If the app asks for every permission it can get, or one of its permissions looks a little suspicious, don't install it. Mobile malware depends on users conceding too many permissions to operate, so always double-check the source if an app asks for something unusual.
If you do download a fake app and get hit by CryCryptor ransomware, all is not lost. ESET, the reporters of the ransomware-based scam, released a decryption tool that can unlock your phone.
Staying Safe Against Coronavirus
With coronavirus causing panic around the world, hackers exploit this fear for profit. If your country has announced a COVID-19 tracing app, don't fall for any traps and only follow trustworthy sources.
If you're struggling to identify what's real and what's fake, be sure to check out the websites you can trust for coronavirus information.