We recently reported how hackers were abusing the deadly Coronavirus (COVID-19) pandemic to their advantage by exploiting the Coronavirus Maps to steal user information.
Not just this, cybercriminals also used the fear of coronavirus outbreak to launch email campaigns to infect users’ systems with malware.
Exploiting this situation further, a malicious Android app is now doing the rounds that claim to help track cases of the coronavirus but instead installs ransomware and locks users out of their device.
Discovered by DNS threat intelligence company DomainTools, the newly discovered ransomware dubbed as “CovidLock” uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as a screen-lock attack and has been seen before on Android ransomware.
“Cybercriminals like to exploit people when they are at their most vulnerable. They use dramatic events that cause people to be emotional or fearful to drive their profits,” wrote Tarik Saleh, Senior Security Engineer, and Malware Researcher at DomainTools in a blog post. “The coronavirus is no different. Shortly after the first cases were confirmed, DomainTools’ researchers observed a minor uptick in domain names leveraging Coronavirus and COVID-19. These registrations have peaked significantly in the past few weeks and many of them are scams.”
The domain (coronavirusapp[.]site) and (coronavirusapp[.]site/mobile.html) claims to have a real-time Coronavirus outbreak tracker available via an app download.
The domain prompts users to download an Android App that will give them access to a Coronavirus map tracker that appears to provide tracking and statistical information about COVID-19, including heatmap visuals. In reality, the app is equipped with ransomware.
Once the ransomware performs a screen-lock attack, victims are given a 48-hour deadline to pay a $100 ransom in bitcoin to remove the lock. They are also threatened that their contacts, pictures, videos, and phone’s memory would be erased as well as their social media accounts would be leaked publicly.
“Note: Your GPS is watched and your location is known. If you try anything stupid your phone will be automatically erased,” claims the ransomware app.
For Android Nougat devices and later versions, there is protection in place against this type of attack. However, it only works if the user has set a password. Those who haven’t set a password on their phone to unlock the screen are still vulnerable to the CovidLock ransomware.
Thankfully, DomainTools has reverse-engineered the decryption keys and will be posting the key publicly (although a Redditor has posted the apparent password too). The team also has the attacker’s bitcoin wallet and is monitoring transactions associated with it.
To protect yourself, ensure that you download Android apps only from Google Play Store and not from any untrusted 3rd party stores. Also, refrain from clicking on anything that’s health-related in your email.