Android Malware takes advantage of COVID-19

In these times of pandemic, when we’ve all been on lockdown to stop the spread of COVID-19, malware developers are experiencing what is probably one of their busiest periods.

For most families of malware – ransomware, RAT or any other type, samples have been detected that use the coronavirus to increase their infection rates.


For attackers, this complicated situation has offered a new way of upping the number of devices that fall prey to their creations. From fake applications to control the spread of the coronavirus, to maps showing the evolution of the pandemic, by way of malicious apps that supposedly give recommendations on how to avoid catching the biological virus.

In these difficult times, users tend to lower their guard and show an interest in any application related to COVID-19 that might provide information on the state of the pandemic. The upshot of this is that mobiles and computers end up installing and executing applications that compromise the security of the system. Malware developers are fully aware of the situation and are taking advantage of it to flood the web with fake apps that hide malicious functions.

At the beginning of the lockdown, we talked about the ‘Vicious Panda’ malware campaign, which used the health crisis to infect computers by sending out malicious emails containing supposed information on the virus.


Banking malware related to COVID-19

One of the sectors where we’ve seen the greatest amount of activity in terms of using the coronavirus to spread malicious applications is banking malware for Android. Almost all the active families have distributed at least one sample masquerading as an app with information on the virus.

In terms of technical features, these samples show no new features and the functionality is the same as described in previous posts and reports on the families of ‘bankers’: Anubis Bankbot, Cerberus, GINP and Eventbot.


In the case of GINP, the family of banking malware that exclusively targets Spanish banks, not only have samples been detected that are specially designed (with the app name and icon) to make the user believe they’re looking at an app with info on the coronavirus, it also makes use of generic samples that masquerade as video players.

In the case of video player samples, to deceive the user by taking advantage of COVID-19, developers have used fraudulent websites that show a fake video on how to use a face mask. To see the video, the victim needs to download the malicious application.

malware-android-covid-19-02A fraudulent website distributes the GINP trojan as a fake video player

The Anubis Bankbot family is also keeping up with the times and has distributed new samples that, as can be seen in the following image, pass themselves off as an app for receiving COVID-19 alerts when in fact it’s a malicious application designed to siphon banking credentials.

malware-android-covid-19-03Fake alert application distributed by Anubis Bankbot

The most common type of apps are those masquerading as applications for receiving coronavirus alerts or tracking global infections. In the case of Cerberus, we find a sample that promises to be a coronavirus tracker.

malware-android-covid-19-04Fake coronavirus tracker distributed by Cerberus

In other cases, the trojan even masquerades as an application for showing data on COVID-19 cases in the user’s area.

malware-android-covid-19-05GINP banker that claims to track local cases


Non-banking malware related to COVID-19

It’s not only the banking trojans that are trying to cash in on COVID to spread apps related to the virus – a whole range of other malwares are also using this strategy to increase their infection rates.

Some attackers have used legit apps to spread their malicious applications. In the case of the ‘AhMyth’ spyware, its creators have tweaked a benign application available on Google Play that showed the evolution of the coronavirus. In this case, a malicious functionality has been added to the app, adding on the extra permissions it needs to operate and the code required at the start of the main activity to initiate the malicious service.

malware-android-covid-19-06Initiation of the malicious service through the main activity

This spyware trojan lets its developers send text messages and read incoming messages, grab files stored in the device, record audio, take photos with the camera, access the device’s location and harvest the contact list, as well as the call log. As can be seen, ‘AhMyth’ is quite a complex and dangerous spying trojan that has leveraged COVID-19 to attack a higher number of victims.

malware-android-covid-19-07Classes that implement the trojan’s functionality

As can be expected, as well as spyware, samples of adware have also been detected, specifically from the ‘Joker’ and ‘HiddenAd’ families, masquerading as apps for receiving coronavirus news and alerts.


Coronavirus app infected with HiddenAd

Lastly, we’ve also been seeing applications build with Metasploit which inject code into legitimate applications to establish a connection with the attacker that gives them remote control over the device.




As we can see, a significant number of families of bankers are using the coronavirus to spread malicious applications among users, passing themselves off as apps for receiving news and alerts, for tracking cases and even watching videos about the correct way to use a face mask.

But it’s not only banking trojans that have taken advantage of people’s worry about the present situation – a whole range of malware types have used COVID-19 to increase their infection rate, from adware to spyware and even payloads from metasploit injected into coronavirus apps.

We need to be on guard not only against the biological virus but also technological threats that add an extra layer of danger to the pandemic.




  • cdae640237fa190c62f0b1d89e504dc0d728e771026b241b1a549f9c8b6d57c0 (GINP)
  • 9c7b234d0d46169dcefb9f5b22c5df134b1a120b67666c071feaf97a6078d1a1 (Anubis Bankbot)
  • 9ffda0c1e8e9e9c63c5219941f3f72f04ef8027b2ed8443498100df27e00b8b0 (Cerberus)
  • cbbbd1a3eae287286ca6d28628d98c78c971964aa4a725c094a2f6ebf1061edc (AhMyth)
  • 449a67e03e05e2035b33fd253bee3f8bcf9c54c85e2bfde571e7e5d44ae485bb (HiddenAd)
  • 5fc70afc5eda6c0cbd33026c3b29a521708e18639fdb1ec4c1beec690f258210 (Metasploit)




Android Banker: Evenbot 

Since March, there have been signs of a new trojan in the sphere of banking malware for Android. The name given to this new family is ‘Eventbot’. This is mainly due to the fact that the word ‘event’ is used in the malicious app package identifier, probably because of its novel functionality of using accessibility events to steal credentials.

Most banking trojans use accessibility events to detect when an application is opened, before showing a webinject with a phishing form that siphons off the victim’s credentials.


Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video