As COVID-19 continues to spread around the world, so does the use of risky mobile applications designed to help track the outbreak. Some of these apps already present troubling privacy implications due to their ability to track the movements of local citizens and collect information on them. But beyond that, they may also be saddled with vulnerabilities, or have been ripped off by copycats, perhaps for nefarious purposes.
Indeed, researchers from the ZeroFOX Alpha Team on Monday reported finding suspicious or even outright malicious versions of government-sanctioned COVID-19 mobile applications in Iran and Italy. Users in these countries — both among the hardest hit by the virus — are likely downloading these versions from untrustworthy third-party sources instead of from the official app store.
“A greater number of government-sanctioned applications causes users to be less certain of which applications are legitimate,” says the blog post report. “Threat actors have taken advantage of this confusion, and have released malicious applications… to prey on users who may mistakenly download the malicious app. To prevent this and protect their citizens, it is highly important that governments ensure consistency with where applications are able to be downloaded, and even with their appearance.”
The same research team also discovered that a legitimate, government-approved mobile app in Colombia contained an encryption flaw that could have allowed attackers to intercept sensitive user information in clear text.
In the Italian case, Alpha Team found 12 malicious APKs impersonating a genuine app from developer SoftMining called SM-Covid-19. The campaign is designed to infect users with backdoor malware that starts after an Android device reboots.
According to the report, the campaign leverages reverse TCP tunnels, the Metasploit penetration testing framework and msfvenom tools to infect individuals.
The copycat Iranian app, meanwhile, is somewhat unusual because it’s unclear to what degree the fake app is any more dangerous than the actual government-sponsored one, which is available via the Iranian app store Cafe Bazaar.
ZeroFOX doesn’t name the official Iranian program, but based on various reports, it is likely the “AC19” app, which has been compared to surveillanceware for its heavy-handed approach toward tracking the country’s citizens and harvesting personal information. The fake version — named CoronaApp and available for download from a website listed in various news websites, Telegram groups and social network posts — does much of the same, the researchers said.
“Alpha Team has analyzed the unofficial CoronaApp, and although no evidence of ill-intent was identified, the app does request permissions to access a user’s location, camera, internet data, system information and write to external storage,” the report states. “Intrusive permissions are not necessarily an indication of something malicious, but rather, this particular collection of permissions demonstrates the likely intent of the developer to access sensitive user information.”
Indeed, by allowing all the permissions, the application is able to exfiltrate details related to a device’s ID, IP address, MAC address, geolocation, language, active default data network, connection status, supported network types and more. The app’s code libraries arouse suspicion as well, and to make matters worse it does not does not use Transport Layer Security (TLS) for data transfer. For that reason, Alpha Team “assesses with HIGH confidence that this application can be abused in the future,” the report concludes.
The researchers also found a legitimate, official coronavirus app that was similarly lacking in TLS security — the Colombian COVID-19 mobile app “CoronApp-Colombia.” The app reportedly was insecurely communicating with the API server throughout the app workflow, using HTTP instead of HTTPS.
ZeroFOX said that after it alerted the Colombian CERT on March 26, the developer fixed the problem just days later.
Prior to the security update, “ZeroFOX Alpha Team installed the app on an Android Emulator and captured traffic going to this server with Wireshark. We successfully created a user in the app, and captured all the information (PII and PHI) over cleartext, demonstrating the ease with which an attacker could man-in-the-middle this traffic. Successfully doing so would give attackers access to the PII and PHI of any user of CoronApp-Colombia,” the report stated.
“Although there is something to be said about rapid response during a crisis, failure to do due diligence and review code prior to releasing it to hundreds of thousands of users puts citizens at risk,” ZeroFOX concludes in its report. “Insecure mobile applications… put sensitive user health and personal information at risk of being compromised.”