{"id":88713,"date":"2020-03-20T20:17:55","date_gmt":"2020-03-20T14:47:55","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=88713"},"modified":"2020-03-30T17:51:00","modified_gmt":"2020-03-30T12:21:00","slug":"fake-coronavirus-tracking-app","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/fake-coronavirus-tracking-app\/","title":{"rendered":"Fake Coronavirus\u00a0tracking app exploiting our fear and vulnerable social situation"},"content":{"rendered":"

As the Coronavirus spreads across countries creating fear across the globe, everybody wants to stay on top of any information related to it wanting to remain safe and away from infected people. Malware authors are also taking advantage of this situation. Previously on the Android\u00a0<\/span>Playstore<\/span>, there were\u00a0<\/span>many\u00a0 applications<\/span>\u00a0present which claimed that they could provide Coronavirus tracking information. But Google has set up some rules for these types of applications and have considered these under the \u2018Sensitive events\u2019 category. According to policies from this rule, Google proactively removed many applications from\u00a0<\/span>Playstore<\/span>\u00a0to stop malware authors to take advantage of this situation.<\/span><\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0\u00a0But malware authors have used another way to\u00a0<\/span>enter into<\/span>\u00a0the user\u2019s phone. They are using their sites to\u00a0<\/span>publish\u00a0 malicious<\/span>\u00a0apps developed by hackers themselves. There is a website named \u2018<\/span>coronavirusapp<\/span>[.]site\u2019 \u2014on this website, an Android application is hosted which claims to get real-time info about Coronavirus patients. The application claims that it will give notification to the user if a Coronavirus patient is present in the vicinity.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/span><\/span>Fig. 1<\/span><\/span>\u00a0<\/span><\/span>\u2013<\/span><\/span>\u00a0Site snapshot<\/span><\/span>\u00a0<\/span><\/span>\u00a0<\/span><\/span><\/p>\n

But in reality<\/span><\/span>,<\/span><\/span>\u00a0this<\/span><\/span>\u00a0app is\u00a0<\/span><\/span>ransomware<\/span><\/span>\u00a0<\/span><\/span>\u2014<\/span><\/span>i<\/span><\/span>t locks\u00a0<\/span><\/span>the\u00a0<\/span><\/span>user\u2019s<\/span><\/span>\u00a0android\u00a0<\/span><\/span>device and asks for\u00a0<\/span><\/span>a\u00a0<\/span><\/span>ransom.<\/span><\/span><\/p>\n

Technical Analysis of the App:\u00a0\u00a0<\/strong><\/p>\n

After launch, this application asks to ignore battery optimization so it can run in the background.<\/p>\n

\"\"<\/p>\n

Fig. 2<\/span><\/span>\u00a0<\/span><\/span>\u2013\u00a0<\/span><\/span>Asking for Battery optimization<\/span><\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0\u00a0After getting this permission it starts its malicious activity where it asks for accessibility permission \u2014accessibility was introduced in Android to assist physically impaired users. Accessibility service has access to sensitive information such as\u00a0the\u00a0 information\u00a0about running applications on the phone. Attackers can misuse this data. The App\u2019s next step is\u00a0to ask\u00a0for device admin permission. Device administrator enabled app can enforce security policies, password policies being one of\u00a0them. Malware\u00a0authors can use this permission to take control of the device.\u00a0<\/span><\/span><\/p>\n

\"\"<\/p>\n

Fig. 3<\/span><\/span>\u00a0<\/span><\/span>\u2013\u00a0\u00a0<\/span><\/span>Activities<\/span><\/span>\u00a0asking for device admin permission and accessibility<\/span><\/span>\u00a0<\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 After granting permissions, when the user clicks on \u2018scan area for coronavirus\u2019, the\u00a0app\u00a0 calls\u00a0upon the\u00a0onhideapp() method which further checkmarks all required permissions. If all permissions are given by the\u00a0user,\u00a0 it\u00a0hides its icon from the application drawer.\u00a0<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Fig. 4\u00a0<\/span><\/span>\u2013\u00a0<\/span><\/span>Code to hide\u00a0<\/span><\/span>the\u00a0<\/span><\/span>application icon<\/span><\/span>\u00a0<\/span><\/p>\n

How\u00a0<\/span><\/span>does this malware\u00a0<\/span><\/span>lock<\/span><\/span>\u00a0the phone<\/span><\/span>?<\/span><\/span>\u00a0\"\"<\/span><\/span><\/h4>\n

Fig. 5\u00a0<\/span><\/span>\u2013 P<\/span><\/span>hone locking flow<\/span><\/span><\/p>\n

Below are the events which occur to lock User\u2019s device:<\/p>\n

A) Due to accessibility permission malware can get all accessibility events. In the above code snippet (block 1) we can see it checks accessibility events type. If this type is TYPE_WINDOW_CONTENT_CHANGED (Constant Value: 2048) Or TYPE_WINDOW_STATE_CHANGED (Constant Value: 32) it calls upon the method\u00a0\u00a0Onblocker().<\/p>\n

B) In this method it creates a new thread (code snippet block 2) in which it calls method\u00a0startblockedactivity(), which starts\u00a0BlockedAppactivity. Before calling\u00a0this\u00a0 it\u00a0checks various conditions such as, if the app is hidden from the app drawer (code snippet block 3).<\/p>\n

C) Then\u00a0BlockedAppactivity\u00a0is started. In\u00a0oncreate\u00a0it sets\u00a0contentview\u00a0to blocked app which is the ransomware note (code snippet block 4).<\/p>\n

Thus,\u00a0whenever\u00a0the\u00a0user tries to open any app this activity\u00a0opens\u00a0not allowing the user\u00a0to use\u00a0the\u00a0intended app.<\/p>\n

Below is a snapshot of ransomware note activity. where the malware\u00a0author asks for 250 $ ransom. There is another variant of the app in which ransom amount is 100 $. There is a button \u2018Web\u00a0designius\u2019. \u2014when a user clicks on this button it redirects to\u00a0Pastebin\u00a0page where malware author has given instructions to unlock the phone.<\/p>\n

\"\"<\/p>\n

Fig.\u00a0<\/span><\/span>6\u00a0\u00a0<\/span><\/span>\u2013<\/span><\/span>\u00a0<\/span><\/span>a\u00a0<\/span><\/span>variant of coronavirus tracker\u00a0<\/span><\/span>ransomware<\/span><\/span>\u00a0with 250 $ ransom note<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Fig. 7\u00a0<\/i>\u2013\u00a0a\u00a0variant of coronavirus tracker\u00a0ransomware\u00a0with 100\u00a0$ ransom\u00a0note<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0\u00a0Malware author has written pin verification code in the same activity. The\u00a0<\/span>BlockedAppactivity<\/span>\u00a0has a function named\u00a0<\/span>verifyPin<\/span>() which checks input code to hardcoded key \u20184865083501\u2019. By entering this key user can unlock his phone.<\/span><\/span>\u00a0<\/span><\/p>\n

\"\"<\/p>\n

Fig. 8\u00a0<\/span><\/span>\u2013\u00a0<\/span><\/span>Pin verification code\u00a0<\/span><\/span>\u00a0<\/span><\/p>\n

\u00a0 \u00a0There are many sites which are offering Coronavirus tracking maps and Coronavirus related information, many of these sites ask users to install Android applications to get more info. We have analyzed one of the\u00a0sites which\u00a0claims to give good info\u00a0but in reality, is\u00a0a ransomware app. Users should not fall prey to these types of apps and sites. If they want information for their safety, they can visit the official WHO\u00a0<\/a>website.<\/p>\n

 <\/p>\n

Application\u00a0name :<\/p>\n

Coronavirus tracker<\/p>\n

Detection:<\/p>\n

Quick Heal Mobile Security\u00a0detects\u00a0these apps\u00a0under\u00a0detection\u00a0\u00a0Android.Locker.O<\/p>\n

IOC:<\/p>\n

69a6b43b5f63030938c578eec05993eb<\/p>\n

D1d417235616e4a05096319bb4875f57<\/p>\n

How to stay safe \u2013<\/strong><\/p>\n

1. Check an app\u2019s description before you download it.<\/p>\n

2. Check the app developer\u2019s name and their website.If the name sounds strange or odd, you have all the reasons to suspect it.<\/p>\n

3. Go through the reviews and ratings of the app. But, note that these can also be faked.<\/p>\n

4. Avoid downloading apps from third-party app stores.<\/p>\n

5. Use a reliable mobile antivirus (like Quick Heal Total Security), that can prevent fake and malicious apps from getting installed on your phone.<\/p>\n","protected":false},"excerpt":{"rendered":"

As the Coronavirus spreads across countries creating fear across the globe, everybody wants to stay on top of any information related to it wanting to remain safe and away from infected people. Malware authors are also taking advantage of this situation. Previously on the Android\u00a0Playstore, there were\u00a0many\u00a0 applications\u00a0present which claimed that they could provide Coronavirus […]<\/p>\n","protected":false},"author":61,"featured_media":88730,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,910],"tags":[1721,534,50],"class_list":["post-88713","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-ransomware","tag-coronavirus","tag-cybersecurity","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88713"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88713"}],"version-history":[{"count":34,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88713\/revisions"}],"predecessor-version":[{"id":88830,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88713\/revisions\/88830"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88730"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}