Check Point identified malicious applications, masquerading as innocuous coronavirus apps, that are really designed to take control of your Android device. Once the malicious application is installed, a hacker takes intrusive control of your device via a remote shell, accessing a person’s calls, SMS, calendar, files, contacts, microphone and camera, in addition to write, add and send privileges. The malicious applications were not found on Google Play Store, but were discovered in new Coronavirus-related domains, which researchers believe were created specifically for the intention to deceive the masses by leveraging the fear circling coronavirus. Most frightening is the speed and ease of which these device takeover apps can be created, and who can create it.
Anyone in 15 minutes
After the discovery, Check Point researchers began to trace the origins of the malicious applications. The applications were crafted via Metasploit, a free-penetration testing framework that makes hacking simple. Using Metasploit, anyone with basic computer knowledge can craft the same malicious applications in just 15 minutes. It’s as simple as: point Metasploit at your target, pick an exploit, choose a payload to drop, and hit Enter. In this case, the Metasploit crafted apps were targeting everyday people searching for Coronavirus related content.
Check Point researchers were able to find three samples, created by Metasploit Framework, carrying the innocent name – ‘coronavirus.apk’. This app can be easily delivered and installed on large numbers of devices, and can execute device takover. Once executed on the Android device, the app starts a service that hides its icon in order to make it harder to get rid of it. It continues by connecting to a C&C server (Command and Control) stored in an array in the malware’s code.
Check Point’s Manager of Mobile Research, Aviran Hazum, said, “We are living in very difficult times. Not only is there a physical threat from coronavirus, but also a substantial cyber threat. Hackers are feasting around the fear of coronavirus by creating malicious applications that have names and icons suggesting they’re harmlessly related to coronavirus, but truth is they are traps. In this case, what’s alarming is the speed and simplicity in crafting these disguised coronavirus apps. I caution everyone to triple check the domains they click on these days.”
Explosion in coronavirus domains
Recently, Check Point reported more than 30,103 new coronavirus-related domains were registered in the past few weeks, of which 0.4% (131) were malicious and 9% (2,777) were suspicious and under investigation. This means over 51,000 of coronavirus-related domains in total have been registered since January 2020.
More phony coronavirus apps discovered
All in all, Check Point’s researchers discovered 16 different malicious apps, all masquerading as legitimate coronavirus apps, which contained a range of malware aimed at stealing users’ sensitive information or generating fraudulent revenues from premium-rate services. Three of the 16 were Metasploit crafted applications.
How to protect yourself?
If you suspect you may have one of these infected apps on your device, here’s what you should do:
- Uninstall the infected application from the device
- Install a security solution to prevent future infections
- Update your device Operation System and Applications to the latest version
Tips to keep your mobile devices safe:
- Don’t Connect to Public Wi-Fi networks
- Enable remote lock and data wipe for mobile devices
- Avoid answering unsolicited calls, or even block them
- When you surf the web, make sure you only use websites secured with SSL, also on mobile
- Download applications only from the official app stores