Researchers have uncovered a mobile surveillance campaign that has used more than 30 malicious Android apps to spy on targets in the past 11 months. Two of the latest examples use the corona virus by hiding off-the-shelf surveillance software in apps that promise information about the ongoing pandemic.
One of the apps, "Corona Live 1.1", is a Trojanized version of "Corona Live", a legitimate app that provides an interface to data found on this Johns Hopkins University tracker. The fake app contains an example of SpyMax, a commercially available monitoring software that attackers can use to control infected devices in real time. A second app that is used in the same campaign is called "Crona". The campaign, which has been active since April 2019 at the latest, was discovered by researchers from the mobile security provider Lookout.
"This surveillance campaign shows how our innate need for information against us can be used for malicious purposes in times of crisis," Lookout researcher Kristin Del Rosso wrote in a post published on Wednesday. "In addition, off-the-shelf commercialization of spyware kits makes it fairly easy for these malicious actors to launch these bespoke campaigns almost as quickly as a crisis like COVID-19 sets in."
Lookout researchers uncovered the ongoing campaign analyzing Corona Live 1.1. While the app appeared to be in an early stage of development, it had a hard-coded address on its control server. When examining the control server domain, the researchers found that it was used by around 29 other apps, all of which used commercially available surveillance software to spy on end users.
The latest sample was taken on Tuesday and the command and control servers appeared to be online at the time of this post's publication on Ars. According to Lookout, the apps were never available on the Google Play market. Lookout still has to determine how the apps are distributed or how many devices have been infected.
While most apps were packaged using fairly generic names, one of them – "Libya Mobile Lookup" – suggested that the campaign may target people in the North African country. The control server was previously resolved into IP addresses operated by Libyan Telecom and Technology, an ISP for consumers. The attackers hosted the server using No-IP, a service that makes it easier for consumers or very small businesses to link Internet domains to IP addresses that change frequently.
"The person or group running the campaign is likely to be in Libya, using their own infrastructure to run the C2, or using the compromised infrastructure there," Del Rosso wrote. "Since the applications are also aimed specifically at Libyan users, this appears to be a regionally oriented surveillance measure."
Lookout isn't the only security company that detects malicious Android goods that take advantage of coronavirus fears. On Wednesday, anti-virus provider Avast announced that it has unveiled apklab.io, a resource that researchers can use to contribute and investigate Android malware related to the pandemic. The site currently tracks more than 450 APKs. Last week, Domain Tools researchers announced the existence of another malicious Android app that also claims to offer cards related to the virus.
SpyMax appears to have been developed by the same people who stand behind another commercially available monitoring software called SpyNote. Other monitoring software used in the campaign includes SonicSpy, SandroRat and MobiHok. Both SpyNote and MobiHok charge relatively low fees and also offer user support. Combined with a simple checkout process, the apps make it easy for even beginners to purchase, customize and manage their own monitoring tools.
Enlarge /. The SpyMax administration console shows a screenshot. It allows attackers to access a variety of resources on infected devices.
Lookout has no evidence that hackers working for a nation state are running the campaign. However, the security company did not rule out this possibility, since pre-built tools or malware from both open source and commercial sources were used in the nation states. On the other hand, nation states often develop their own tools. The bottom line is there is no way to be sure what kind of organization is behind the campaign.
The recent additions to this ongoing campaign of Trojans with corona virus motifs underscore how quickly attackers can take advantage of important news events. Readers are again reminded to remain extremely skeptical of apps, maps, or other information related to the pandemic, especially if the information available for Android comes from third parties. Instead, users should seek information from trusted sources such as this page from the United States Centers for Disease Control and Prevention or the Johns Hopkins resource linked above.