Another malicious actor has weaponized an otherwise legitimate, interactive coronavirus tracking map created by Johns Hopkins University — this time to deliver Android spyware as part of a campaign that originates out of Libya and seemingly targets individuals within that country.
The surveillanceware, known as SpyMax, comes packaged in a trojanized application named “corona live 1.1,” according to a blog post today from researchers at Lookout who discovered the scheme. It can access sensitive Android phone data and SMS messages, modify settings, provide a shell terminal, record audio, operate the camera and more.
It can do all this because it first asks victims who downloaded the so-called virus tracker for a myriad of permissions. SpyMax is said to be in the same family as another piece of inexpensive commercially available surveillanceware called SpyNote, which carries similar functionality. Both programs contain a hard-coded address for C2 server communication.
Earlier this month, cybersecurity researchers reported that the Johns Hopkins COVID-19 tracker was copied, weaponized and placed in malicious domains in a campaign to infect victims with a variant of the information-stealing AZORult malware. The real, safe version of the map is available here.
The malicious corona live 1.1 app is part of a larger surveillanceware campaign that’s been operating since April 2019. This campaign has leveraged 30 unique APKs, all sharing the same infrastructure, Lookout reports. Only one other of these 30 apps, called Crona, shares a COVID-19 theme. Others claim to be media players or other types of apps.
Three of the apps purport to be Libya Mobile Lookup, a service that enables users to find the customer name of a corresponding Libyan mobile number. “These trojanized apps belong to the SpyNote family and are the earliest samples ingested that communicate with the C2 infrastructure,” states the Lookout blog post, authored by security researcher Kristen del Rosso. “This indicates they were likely the first apps rolled out in this surveillance campaign, and offer insight into who the targeted demographic might be.”
Furthermore, the malware’s C2 domain was found to previously resolve to various IP addresses operated by the ISP Libyan Telecom and Technology, suggesting a Libyan actor is targeting people within Libya. Lookout has found no evidence the campaign is state-sponsored, but cannot rule the possibility out either.
“…[T]he commercialization of ‘off-the-shelf’ spyware kits makes it fairly easy for these malicious actors to spin up these bespoke campaigns almost as quickly as a crisis like COVID-19 takes hold,” the blog post concludes. “That’s why, even in times of crisis, it’s important to avoid downloading apps from third-party app stores and clicking suspicious links for ‘informative’ sites or apps spread via SMS, especially from an unknown number.”