The world panics with the Wuhan coronavirus COVID-19 being declared a pandemic, many businesses struggle. But on the web, things are quite the opposite.
News about the coronavirus are kept being delivered, more than ever before. With more people are concerned about the situation, hackers are busy exploiting the situation to steal their sensitive information as well as their money.
After creating their own coronavirus maps tracking to entice people to install malware into PCs, hackers are going a step further by spreading fake coronavirus tracking Android apps to trick people into downloading ransomware.
Researchers from the security firm DomainTools found that there has been an increase in domain name registration related to coronavirus.
And during their research, the team found that a website (coronavirusapp[.]site) prompts users to install an Android app to help them track updates on coronavirus pandemic.
According to the researchers in a blog post:
"The Coronavirus is no different."
The website the hackers created, is quite deceptive.
First, it claims to be the app certified by the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).
Second, the hackers also falsely claim that the app has received over 6 million reviews, a rating of 4.4 stars, and downloads reaching 500 million.
Third, the app description says it can send users an instant notification when a COVID-19 patient "is near you" in over 100 countries.
The app in question promises access to a coronavirus map tracker with a lot of other features.
On the installation process, the app will ask users for various permissions, including access to the lock screen.
Once everything is granted and the app installed, the app becomes the medium for a ransomware called 'CovidLock', which is able to change victims' lock screen password, encrypt the phone, and asks victims to pay $100 in Bitcoin in return for the decryption key.
The researchers at DomainTools looked into the content, and found not just a malware, but also realized that the SSL certificate of the site suggested hackers behind this scam are connected to other pornographic and Android malware attacks.
The DomainTools security research team has reverse engineered the decryption keys and said that they are going to post the key publicly.
In the meantime, people are urged to avoid scammy coronavirus related domains and only install apps from the Play Store.
"Be sure to only use trusted information sources from government and research institution’s websites. Don’t click on anything in your email that’s health related. In general, be sure to follow all of the basic phishing recommendations—be aware that people are trying to capitalize on fear here," the researchers said.
"Ensure that you download Android applications only from the Google Play store. There is a much higher risk of downloading malware from untrusted 3rd party stores."