Labs - Malware Analysis

Android Malware takes advantage of COVID-19

Written by David Morán | May 19, 2020 10:02:56 AM

In these times of pandemic, when we’ve all been on lockdown to stop the spread of COVID-19, malware developers are experiencing what is probably one of their busiest periods.

For most families of malware – ransomware, RAT or any other type, samples have been detected that use the coronavirus to increase their infection rates.

For attackers, this complicated situation has offered a new way of upping the number of devices that fall prey to their creations. From fake applications to control the spread of the coronavirus, to maps showing the evolution of the pandemic, by way of malicious apps that supposedly give recommendations on how to avoid catching the biological virus.

In these difficult times, users tend to lower their guard and show an interest in any application related to COVID-19 that might provide information on the state of the pandemic. The upshot of this is that mobiles and computers end up installing and executing applications that compromise the security of the system. Malware developers are fully aware of the situation and are taking advantage of it to flood the web with fake apps that hide malicious functions.

At the beginning of the lockdown, we talked about the ‘Vicious Panda’ malware campaign, which used the health crisis to infect computers by sending out malicious emails containing supposed information on the virus.

 

Banking malware related to COVID-19

One of the sectors where we’ve seen the greatest amount of activity in terms of using the coronavirus to spread malicious applications is banking malware for Android. Almost all the active families have distributed at least one sample masquerading as an app with information on the virus.

In terms of technical features, these samples show no new features and the functionality is the same as described in previous posts and reports on the families of ‘bankers’: Anubis Bankbot, Cerberus, GINP and Eventbot.


In the case of GINP, the family of banking malware that exclusively targets Spanish banks, not only have samples been detected that are specially designed (with the app name and icon) to make the user believe they’re looking at an app with info on the coronavirus, it also makes use of generic samples that masquerade as video players.

In the case of video player samples, to deceive the user by taking advantage of COVID-19, developers have used fraudulent websites that show a fake video on how to use a face mask. To see the video, the victim needs to download the malicious application.

A fraudulent website distributes the GINP trojan as a fake video player


The Anubis Bankbot family is also keeping up with the times and has distributed new samples that, as can be seen in the following image, pass themselves off as an app for receiving COVID-19 alerts when in fact it’s a malicious application designed to siphon banking credentials.

Fake alert application distributed by Anubis Bankbot


The most common type of apps are those masquerading as applications for receiving coronavirus alerts or tracking global infections. In the case of Cerberus, we find a sample that promises to be a coronavirus tracker.

Fake coronavirus tracker distributed by Cerberus


In other cases, the trojan even masquerades as an application for showing data on COVID-19 cases in the user’s area.

GINP banker that claims to track local cases

 

Non-banking malware related to COVID-19

It’s not only the banking trojans that are trying to cash in on COVID to spread apps related to the virus – a whole range of other malwares are also using this strategy to increase their infection rates.

Some attackers have used legit apps to spread their malicious applications. In the case of the ‘AhMyth’ spyware, its creators have tweaked a benign application available on Google Play that showed the evolution of the coronavirus. In this case, a malicious functionality has been added to the app, adding on the extra permissions it needs to operate and the code required at the start of the main activity to initiate the malicious service.

Initiation of the malicious service through the main activity


This spyware trojan lets its developers send text messages and read incoming messages, grab files stored in the device, record audio, take photos with the camera, access the device’s location and harvest the contact list, as well as the call log. As can be seen, ‘AhMyth’ is quite a complex and dangerous spying trojan that has leveraged COVID-19 to attack a higher number of victims.

Classes that implement the trojan’s functionality


As can be expected, as well as spyware, samples of adware have also been detected, specifically from the ‘Joker’ and ‘HiddenAd’ families, masquerading as apps for receiving coronavirus news and alerts.

Coronavirus app infected with HiddenAd


Lastly, we’ve also been seeing applications build with Metasploit which inject code into legitimate applications to establish a connection with the attacker that gives them remote control over the device.

 

Conclusions

As we can see, a significant number of families of bankers are using the coronavirus to spread malicious applications among users, passing themselves off as apps for receiving news and alerts, for tracking cases and even watching videos about the correct way to use a face mask.

But it’s not only banking trojans that have taken advantage of people’s worry about the present situation – a whole range of malware types have used COVID-19 to increase their infection rate, from adware to spyware and even payloads from metasploit injected into coronavirus apps.

We need to be on guard not only against the biological virus but also technological threats that add an extra layer of danger to the pandemic.

 

IoCs

Hash:

  • cdae640237fa190c62f0b1d89e504dc0d728e771026b241b1a549f9c8b6d57c0 (GINP)
  • 9c7b234d0d46169dcefb9f5b22c5df134b1a120b67666c071feaf97a6078d1a1 (Anubis Bankbot)
  • 9ffda0c1e8e9e9c63c5219941f3f72f04ef8027b2ed8443498100df27e00b8b0 (Cerberus)
  • cbbbd1a3eae287286ca6d28628d98c78c971964aa4a725c094a2f6ebf1061edc (AhMyth)
  • 449a67e03e05e2035b33fd253bee3f8bcf9c54c85e2bfde571e7e5d44ae485bb (HiddenAd)
  • 5fc70afc5eda6c0cbd33026c3b29a521708e18639fdb1ec4c1beec690f258210 (Metasploit)