Authored by: Tara Gould, Gage Mele, Parthiban Rajendran, and Rory Gould
Overview
Threat actors are distributing fake Android applications themed around official government COVID-19 contact tracing apps. Anomali Threat Research (ATR) identified multiple applications that contain malware, primarily Anubis and SpyNote, and other generic malware families. These apps, once installed on a device, are designed to download and install malware to monitor infected devices, and to steal banking credentials and personal data. The wider security community continues to monitor ongoing malicious activity themed around COVID-19.[1] ATR believes that the fake apps are likely being distributed through other apps, third-party stores, and websites, among others. As of the publication of this research, the fake apps had not been identified as being present in the Google Play Store.
Anomali Threat Research identified 12 malicious applications that appear to be targeting citizens of multiple countries. This activity consists of separate incidents of malicious activity themed around COVID-19 and should not be viewed as a coordinated campaign. Multiple countries were found to have malicious activity themed directly after government and/or malicious COVID-19-themed applications. Anomali Threat Research findings are shown below in Table 1.
Table 1 - Malicious Applications
Government Tracing App
Official Package Name
Malicious Package Name
Detection Name
Armenia
am.gov.covid19
am.ac19.health
*Trojan
Arrogyasetu (India)
nic.goi.aarogyasetu
com.android.tester
Spynote
Brazil
br.gov.datasus.guardioes
wocwvy.czyxoxmbauu.slsa
Anubis
Chhattisgarh
com.mobcoder.govcth
cmf0.c3b5bm90zq.patch
*Trojan
Columbia
co.gov.ins.guardianes
qmkeasedjeumxmgb.czmofiuouafiuwtmwonw.eeepqsunrbflk
*Trojan
Indonesia
com.telkom.tracencare
cmf0.c3b5bm90zq.patch
Spynote
Iran
ir.covidapp.android
co.health.covid
*Trojan
Italy (impersonating INPS)
certificati.farma.droid
ynhsumknjtd.hphsefyntauykl.hauqklysedjjnukso
*Trojan
Kyrgyzstan
kg.cdt.stopcovid19
kg.cdt.stopcovid19
* ..
Support the originator by clicking the read the rest link below.
