Android malware uses coronavirus for sextortion and ransomware combo

Late last week, researchers at network intelligence company DomainTools warned about an Android malware sample that caught our attention.

Like many other cyberthreats doing the rounds these days, the criminals have used the coronavirus pandemic as a lure, offering an intriguing if rather creepy app called COVID 19 TRACKER.

Catchy icon of the malware app

The app offers to “Track Real-Time Coronavirus Outbreak in your Street, City and State”, and says it will “Get Real-Time Statistics about Coronavirus outbreaks around you in over 100 countries.”

Main malware landing page when browsing from Android

To be precise, if you’re keeping your eye out for giveaway mistakes, it actually says outbreak aroud you, an error both of grammar and spelling that you can see below.

Sure, mainstream websites make spelling mistakes, too, but every clue helps, so keep your eyes open for errors that might be a telltale sign of crooks in a hurry.

As we’ve seen before in coronavirus-themed cybercrime, the criminals have added the logos of various legitimate and useful sources of information:

Left: Main malware landing page when browsing from Android
Right: Download button with fraudulent “certification” claims

This time, they’re claiming their app is “certified by” the US Department of Education, the World Health Organization (WHO), and the US Centers for Disease Control and Prevention (CDC).

(No, that’s not a typo above: the CDC runs its operations and research from numerous major locations, so its name is a plural.)

If you’re wondering why the feature to track coronavirus infections in more than 100 countries has what looks like a winner’s gold cup above it with the number “1” on it, it’s because the crooks have plundered various legitimate apps and brands to leech logos, layout ideas, icons and more to use in their code.

The marketing material that the crooks have crudely ripped off comes from the pages of an unrelated Google Play app that really does have a 4.4-star rating:

Left: ripped-off web site content repurposed by malware authors
Right: original marketing from unrelated Google Play app

What about the the app?

As you can see from the screenshot above, the “tracker app” doesn’t come from Google Play, because it wouldn’t get in.

Instead, you have to go off-market by downloading it directly from the crooks’ website by clicking their own [DOWNLOAD APK] button.

When you run the app for the first time, it asks for various permissions that might make you suspicious, but that don’t seem too outrageous, given that it’s supposed to keep you alerted about coronavirus cases as you move around.

In particular, the app wants to run in the background, to have lockscreen access, and to use Android’s accessibility features, as you see here:

Left: background permission is requested immediately
Right: clicking the [SCAN] button on the app screen demands you to grant more permissions first

Although the malware claims to need lockscreen access to give you an “instant alert when a coronavirus patient is near you”, that’s bogus for two reasons.

Firstly, even if the app is using the latest coronavirus stats, downloaded in real time, it has no way of determining the infectious status of any individual passing by, so it is false (and, indeed, creepy) to claim this as a “feature” at all.

Secondly, you don’t need “lockscreen access” to send notifcations to the lockscreen – that’s controlled by the user, who can choose from their phone’s settings what sort of notifications to show when the phone is locked.

In fact, the malware wants what’s called device admin rights, as you can see in the screenshot below.

This is a feature that Google describes in its own documenation as allowing “device administration features at the system level, [to] allow you to create security-aware apps that are useful in enterprise settings.”

Similarly, if this app were genuine, it wouldn’t need Accessiblity permissions, as it claims.

Those features are intended for use by software such as screen readers (which obviously need to access the screen content of other apps), and they’re tolerated on Google Play for security apps that can justify looking out for data such as web links in order to look for malicious sites.

The app claims that it needs Accessibility permissions by mentioning “active stats monitoring”, but a legitimate program would get its data by downloading and processing it itself, not by “sneaking a peek” and stealing it from other apps.

Left: malware demands device admin powers, though they aren’t needed for lockscreen notifications
Right: malware uses Accessibility functions to track your app usage

What happens next?

The real reasons why this malware wants to run in the background, monitor the other apps you are running, and intervene as a device administrator…

…are probably rather obvious, given the headline of this article.

Amongst other things, it tracks which app you have in the foreground and takes over control as soon as you try to use your phone for most of its normal features, including making calls, getting and sending messages, and accessing the Settings page.

And the Settings page is probably exactly where you will want to go as soon as a the malware kicks in, which is does within about a second of launching most apps:

The malware locks you out of most apps by quickly covering them entirely with a blackmail demand.
The demand mixes sextortion with ransomware.

As you can see, this one is a combination of sextortion and ransomware – you’re locked out of your device because of the persistent pop-over screen, but with a threat to leak personal videos and photos to your family as an added incentive to pay up.

Once you’re infected, you can’t access Settings (where you can, in fact, kill off and uninstall the malware), in an attack reminiscent of Reveton, one of the earliest mobile phone “screen locker” ransomware variants that was widespread back in 2012.

Ironically, the malware is careful not to block your browser, even though you could use it to go online and look for advice on how to clean up.

That’s because the malware itself relies on the browser to load its own “here is how it works” page, hosted on the free data-sharing site Pastebin:

Instructions for how much to pay and whom to contact

How to clean up

Fortunately, at least in our experiments with this sample, the malware was fairly easy to remove by hand.

Our files were left intact, with the malware relying on its rapid pop-over screen as its way of keeping you locked out of your device, and as far as we can tell, the threat to reveal your personal data to friends and family if you don’t pay is entirely empty.

In other words, if you can remove the app so it no longer interferes with your phone usage, then you’re essentially home free.

A quick fix is offered by the fact that the crooks were lazy, and hardcoded the unlock code into their app:

Hardcoded unlock PIN in the malware

When we typed in the 10-digit code 4865083501 where you see enter decryption code in the blackmail page shown above, the malware stopped blocking our access to other apps.

Note, however, that the unlock code doesn’t actually stop the malware and uninstall it!

(The crooks handily left logging code in their app, so we could use the Android development tool adb logcat to watch the app continuing to abuse its Accessibility permissions to track apps as we used them, even after we’d entered the unlock code.)

But after entering the unlock code, we were able to access the Settings page, remove the malware’s device admin rights and uninstall it.

We used Settings > Apps and notifications > See all N apps to reach the App info page, where we located the Coronavirus Tracker app:

Left: the top-level App info page
Right: the malware shows up as “Coronavirus Tracker”

We tapped on the malware entry to open up its own App info page, where we used the system’s Uninstall button to get to the Deactivate & uninstall option, by which the system will demote the app from its device admin role (which prevents regular uninstallation) and then remove it:

Left: the [Uninstall] button on the system App info page
Right: uninstalling from here lets you remove device admin and the app in one go

We also tried rebooting our phone in Safe Mode, where most background apps don’t run, to see if we could remove the malware without relying on the unlock code – even though we know the right code for this sample, it might be different in other variants of the malware.

Also, there is something unappealing about trying to remove the malware while it’s still active and keeping track of what you’re up to on the device.

On our phone, Safe Mode is activated by holding the power button until the reboot menu appears, then holding down the power off icon for a second or two until the Safe Mode menu appears.

After a reboot, the text Safe mode appeared at bottom left of the screen; the malware didn’t launch; and we could use the same procedure as we did above to locate, deactivate and uninstall the malware.

What to do?

Not all mobile malware is this easy to get rid of, and most ransomware these days no longer just locks your device but also scrambles your files so that they need decrypting, too.

And many crooks have learned not to take shortcuts with their passwords, so it’s unusual to find an unlock key right there in the malware code.

So, your best bet is not to let your Android get infected in the first place.

  • Stick to Google Play. It’s not perfect, but it would almost certainly never have admitted this app, not only because of its coronavirus theme, but also because of its blatant abuse of permissions.
  • Use a third-party anti-virus in addition to the standard built-in protection. Sophos Intercept X for Mobile is free, and it will not only block malware from running in the first place, wherever you download it from, but also keep you away from risky websites to start with.
  • Never believe an app’s own propaganda. In this case, the crooks simply stole a marketing history from an existing app and claimed it as their own, complete with a positive review rating. On-site reviews are largely meaningless – they could have come from anywhere, and probably did. If you need advice, ask someone you actually know and trust.
  • Don’t grant permissions to an app unless it genuinely needs them. Decently-behaved apps generally still work, albeit with limited features, even if you withold some permissions, so this malware’s trick of demanding unreasonable permissions before it runs at all should be considered suspicious.

Oh, in case it makes you feel better, the total amount that the crooks have received into the Bitcoin address shown in the Pastebin page above…

…is zero.


go top