Malicious Coronavirus victim tracking app demands ransom payment from Android users

Graham Cluley @gcluley

Malicious Coronavirus victim tracking app demands ransom payment from Android users

Researchers at DomainTools have issued an alert about a malicious Android app that pretends to warn users about those infected with the COVID-19 Coronavirus in their vicinity.

In truth, the app locks users out of their devices and demands that $100 worth of Bitcoin ransom payment is made within 48 hours. If payment is not made, the ransomware claims, the phone will be completely erased and pictures, videos, and social media accounts shared online:

Corona ransomware

YOUR PHONE IS ENCRYPTED: YOU HAVE 48 HOURS TO PAY 100$ in BITCOIN OR EVERYTHING WILL BE ERASED

1. What will be deleted? your contacts, your pictures and videos, all social media accounts will be leaked publicly and the phone memory will be completely erased
2. How to save it? you need a decryption code that will disarm the app and unlock your data back as it was before
3. How to get the decryption code? you need to send the 100$ in bitcoin to the adress below, click the button below to see the code
NOTE: YOU GPS IS WATCHED AND YOUR LOCATION IS KNOWN, IF YOU TRY ANYTHING STUPID YOUR PHONE WILL BE AUTOMATICALLY ERASED

The researchers at DomainTools discovered the malware – which they have named CovidLock – after investigating the increased number of domain registered in the past few weeks related to Coronvavirus and COVID-19, many of which have been used to spread scams or false information.

In this particular case, the researchers discovered the malicious Android app was being distributed from a site called coronavirusapp[.]site (I don’t recommend visiting it), rather than via the official Google Play marketplace.

The fact that the app is only available from a third-party source does limit its ability to infect Android devices, as only users who visit the site, ignore the many warnings issued in the past about “side-loading” apps from unknown sources, and grant the app permissions to access the device’s accessibility settings and lock screen will be at risk.

Activate lock screen

Activate lock screen to get instant alert when a coronavirus patient is near you

DomainTools says that CovidLock’s screen-lock attack will not work on devices running Android Nougat or higher (Android 7.0 or later) if an unlock password has already been set by the user.

Fortunately, CovidLock does not appear to be the most accomplished ransomware ever written – and so even if you are unlucky enough to have had your phone infected it may be possible to recover access to your data without paying a ransom. Reddit users report that they have successfully analysed the app and determined the decryption password.

As ever, despite its shortcomings, Google’s official Play Store is a safer source for apps than third-party unofficial sites. Furthermore, if you’re an Android user always be very careful about what permissions you grant an app. One careless choice could lead to your data and privacy being put at risk.

For more discussion of this topic, listen to the “Smashing Security” podcast:

Smashing Security #170: 'PornHub, Coronavirus apps, and remote working'

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.