If you’re looking to track COVID-19 news with an app, it’s a good idea to keep an eye out for malware traps. Earlier in March, a malicious Android app called CovidLock claimed to help users chart the spread of the virus. Instead, it led to a slew of Android phones being locked and held for ransom by hackers.
Cybercriminals like to exploit people when they are at their most vulnerable. They use dramatic events that cause people to be emotional or fearful to drive their profits. Any time there are major news cycles happening on a topic that stirs a strong reaction, cybercriminals will not be far behind.The Coronavirus is no different. Shortly after the first cases were confirmed, DomainTools’ researchers observed a minor uptick in domain names leveraging Coronavirus and COVID-19. These registrations have peaked significantly in the past few weeks and many of them are scams.
The security research team has continuously been monitoring these suspicious domains. The DomainTools security research team discovered a domain (coronavirusapp[.]site) that claims to have a real-time Coronavirus outbreak tracker available via an app download.
The domain prompts users to download an Android App that will give them access to a Coronavirus map tracker that appears to provide tracking and statistical information about COVID-19, including heatmap visuals.
In reality, the app is poisoned with ransomware. This Android ransomware application, previously unseen in the wild, has been titled “CovidLock” because of the malware’s capabilities and its background story. CovidLock uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as a screen-lock attack and has been seen before on Android ransomware.
The ransomware requests $100 in bitcoin in 48 hours on the ransom note. It threatens to erase your contacts, pictures, and videos, as well as your phone’s memory. It even claims that it will leak your social media accounts publicly.
Since Android Nougat has rolled out, there is protection in place against this type of attack. However, it only works if you have set a password. If you haven’t set a password on your phone to unlock the screen, you’re still vulnerable to the CovidLock ransomware.
The DomainTools security research team has reverse-engineered the decryption keys and will be sure to post the key publicly. The team also has the BTC wallet and is monitoring its transactions. Further technical details will be released soon.