Check Point Research has identified malicious applications, masquerading as innocuous Coronavirus apps, that are designed to take control of Android devices. Once the malicious application is installed, a hacker takes intrusive control of the device via a remote shell, accessing a person’s calls, SMS, calendar, files, contacts, microphone and camera, in addition to write, add and send privileges.
The malicious applications were not found on Google Play Store, but were discovered in new Coronavirus-related domains, which researchers believe were created specifically for the intention to deceive the masses by leveraging the fear circling Coronavirus. Most frightening is the speed and ease of which these device takeover apps can be created, and who can create it.
Check Point researchers traced the origins of the malicious applications. The applications were crafted via Metasploit, a free-penetration testing framework that makes hacking simple. Using Metasploit, anyone with basic computer knowledge can craft the same malicious applications in just 15 minutes. It’s as simple as: point Metasploit at your target, pick an exploit, choose a payload to drop and hit Enter. In this case, the Metasploit crafted apps were targeting everyday people searching for Coronavirus-related content.
Check Point researchers were able to find three samples, created by Metasploit Framework, carrying the innocent name – ‘coronavirus.apk’. This app can be easily delivered and installed on large numbers of devices and can execute device takeover. Once executed on the Android device, the app starts a service that hides its icon in order to make it harder to get rid of it. It continues by connecting to a C&C server (Command and Control) stored in an array in the malware’s code.
“We’re living in very difficult times. Not only is there a physical threat from Coronavirus, but also a substantial cyberthreat,” said Aviran Hazum, Manager of Mobile Research at Check Point. “Hackers are feasting on concerns around Coronavirus by creating malicious applications that have names and icons suggesting they’re harmlessly related to Coronavirus, but truth is they are traps. In this case, what’s alarming is the speed and simplicity in crafting these disguised Coronavirus apps. I caution everyone to triple-check the domains they click on these days.”
Recently, Check Point reported more than 30,103 new Coronavirus-related domains were registered in the past few weeks, of which 0.4% (131) were malicious and 9% (2,777) were suspicious and under investigation. This means over 51,000 of Coronavirus-related domains in total have been registered since January 2020.
All in all, Check Point’s researchers discovered 16 different malicious apps, all masquerading as legitimate Coronavirus apps, which contained a range of malware aimed at stealing users’ sensitive information or generating fraudulent revenues from premium-rate services. Three of the 16 were Metasploit crafted applications.