COVID-19 , Endpoint Security , Fraud Management & Cybercrime

COVID-19-Themed Malware Goes Mobile

Researchers Spot Spyware and Ransomware Targeting Android Devices
COVID-19-Themed Malware Goes Mobile

Cybercriminals, and perhaps nation-state hackers, that are attempting to take advantage of the COVID-19 pandemic are now turning their attention to mobile devices to spread malware, including spyware and ransomware, security researchers warn (see: Nation-State Hackers Using COVID-19 Fears to Spread Malware).

See Also: Manufacturing System Protection from Cyber Attacks

For example, researchers at the security firm Lookout have tracked a malicious Android application called "corona live 1.1," which hides surveillance spyware and appears to target mainly Libyan citizens. Attackers are spoofing a legitimate app called "corona live" that provides users data from a Johns Hopkins University tracker dedicated to information related to COVID-19, according to the report.

This is one of several COVID-19 themed campaigns that have been spotted in the wild over the past few weeks on various mobile devices, says Kristin Del Rosso, a cybersecurity researcher at Lookout, who worked on the latest report.

"COVID-19 themed mobile malware has been around for a while,” Del Rosso tells Information Security Media Group. “The key difference is that previous samples were for short-term financial gain, or governments looking to get a better picture on infected individuals’ locations. We've also seen COVID-19 themed ransomware and banking Trojans. This is one of the first cases of an existing surveillance campaign taking advantage of the media landscape around COVID-19."

Screenshot of the corona live 1.1 after it's opened (Source: Lookout)

Del Rosso says that her research cannot determine if this spyware effort is the work of nation-state hackers or cybercriminals, but it does illustrate how easily a motivated group can spin up the resources they need to take advantage of the COVID-19 crisis.

"We have seen other nation-states use commercial surveillanceware from the same families used here, so we do not rule out the possibility," Del Rosso says. "The key point is that it is very easy for an actor to spin up any themed application they want to either begin or continue targeting individuals of interest."

Mobile Threats

Other researchers have noticed similar patterns, with COVID-19-themed malware targeting mobile users, mainly those using Android devices.

A recent analysis conducted by threat intelligence firm Domain Tools revealed that attackers have been deploying Android ransomware called CovidLock that claims to be a COVID-19 information tracker but is actually designed to lock victims' screens until they pay a ransom (see: Fighting Coronavirus-Themed Ransomware and Malware).

In addition, researchers with Avast issued an alert about increases in mobile malware using COVID-19 as a lure. Cybercriminals are “releasing malicious apps that are masking themselves as fake COVID-19 tracking apps or even fake 'cures' for the disease. Also, new apps have appeared that aim to spread misinformation about the pandemic," the report notes.

Avast is opening up the company's mobile threat intelligence platform, called "", and providing telemetry feeds to other researchers who can then investigate malware samples that are targeting mobile devices, the company says.

Surveillance Apps

Lookout says the malicious corona live 1.1 app is designed to hide commercially available spyware called SpyMax, which can give attackers the ability to control an infected device in real time.

The version of SpyMax that Lookout researchers found appears to have started targeting Libyan citizens as early as April 2019, but its operators then switched to the COVID-19-themed apps in recent weeks to help spread the malware further, Del Rosso says. The command-and-control servers for the campaign remain active and have been seen in the Middle East as well, she adds.

Once installed, corona live 1.1 requests access to photos, media, files, device location, as well as permission to take pictures and record video, according to the report.

An investigation of the command-and-control servers, Del Rosso says, shows that the spyware is likely controlled by a group in Libya, or the attackers have compromised infrastructure belonging to a Libyan organization.

"As long as COVID-19 is at the top of everyone’s minds and a topic of interest, cybercriminals are likely to take advantage of it," Del Rosso says. "Any event that is capable of gathering a large amount of public interest is often abused, and COVID-19 is a big target for malicious actors due to the unprecedented level of interest and anxiety it causes for so many people."

Managing Editor Scott Ferguson contributed to this report.

About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.