Skip to content
MILKING FEAR

Android surveillanceware operators jump on the coronavirus fear bandwagon

An 11-month-old surveillance campaign is the latest to exploit pandemic fears.

Dan Goodin | 15
Photograph of a smartphone with googly eyes attached to it.
Credit: ShellyS / Flickr
Story text

Researchers have uncovered a mobile surveillance campaign that has used more than 30 malicious Android apps to spy on targets over the past 11 months. Two of the most recent samples are exploiting the coronavirus by hiding off-the-shelf surveillanceware inside apps that promise to provide information about the ongoing pandemic.

One of the apps, “corona live 1.1,” is a trojanized version of “corona live,” a legitimate app that provides an interface to data found on this tracker from Johns Hopkins University. Buried inside the spoofed app is a sample of SpyMax, a commercially available piece of surveillanceware that gives attackers real-time control of infected devices. A second app used in the same campaign is called “Crona.” The campaign, which has been active since April 2019 at the latest, was discovered by researchers from mobile-security provider Lookout.

“This surveillance campaign highlights how in times of crisis, our innate need to seek out information can be used against us for malicious ends,” Lookout researcher Kristin Del Rosso wrote in a post published on Wednesday. “Furthermore, the commercialization of off-the-shelf’ spyware kits makes it fairly easy for these malicious actors to spin up these bespoke campaigns almost as quickly as a crisis like COVID-19 takes hold.”

Lookout researchers uncovered the ongoing campaign when analyzing “corona live 1.1.” While the app appeared to be in the early stages of development, it had a hard-coded address of its control server. When examining the control server domain, the researchers found that it was being used by 29 or so other apps, all of which also used commercially available surveillanceware offerings to spy on end users.

The newest sample was ingested on Tuesday, and command and control servers appeared to remain online at the time this post was going live on Ars. Lookout said the apps were never available in the Google Play market. Lookout has yet to determine how the apps are distributed or how many devices have been infected.

DIY spy

While most of the apps were packaged using fairly generic names, one of them—“Libya Mobile Lookup”—hinted that the campaign may be targeting people in the North African country. The control server previously resolved to IP addresses operated by Libyan Telecom and Technology, a consumer ISP. The attackers hosted the server with the use of No-IP, a service that makes it easy for consumers or very small operations to link Internet domains to IP addresses that frequently change.

“The person or group running the campaign is likely in Libya and using their own infrastructure to run the C2, or is leveraging infrastructure they have compromised there,” Del Rosso wrote. “As the applications are also specifically aimed at Libyan users, this appears to be a regionally targeted surveillance effort.”

Lookout isn’t the only security firm to track malicious Android wares that exploit coronavirus anxieties. On Wednesday, antivirus provider Avast said it was unveiling apklab.io, a resource that allows researchers to contribute and examine Android malware with themes related to the pandemic. The site currently tracks more than 450 APKs. Last week, researchers at Domain Tools disclosed the existence of another malicious Android app that also claimed to offer maps related to the virus.

SpyMax appears to be developed by the same people behind another commercially available piece of surveillanceware called SpyNote. Other surveillanceware used in the campaign includes SonicSpy, SandroRat, and MobiHok. Both SpyNote and MobiHok charge relatively low fees and also offer user support. Combined with an easy checkout process, the apps make it easy for even novices to acquire, customize, and manage their own surveillance tools.

A screenshot showing the SpyMax administrative console. It allows attackers to access a variety of resources on infected devices.
Credit: Lookout
A screenshot showing the SpyMax administrative console. It allows attackers to access a variety of resources on infected devices. Credit: Lookout

Lookout has no evidence that hackers working for a nation-state are operating the campaign. The security company, however, didn’t rule out that possibility, since nation-states have previously been seen using out-of-the-box tools or malware from both open source and commercial sources. Then again, nation-states often develop their own tools. The bottom line is that there’s no way to be sure what kind of organization is behind the campaign.

The recent additions of coronavirus-themed trojans to this ongoing campaign underscores how quick attackers are to exploit major news events. Readers are once again reminded to remain highly skeptical of apps, maps, or other information related to the pandemic, particularly when those available for Android come from third-party markets. People should instead seek information from trusted sources such as this page from the US Centers for Disease Control and Prevention or the above-linked Johns Hopkins resource.

Listing image: ShellyS / Flickr

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
15 Comments
Prev story
Next story