As the Coronavirus spreads across countries creating fear across the globe, everybody wants to stay on top of any information related to it wanting to remain safe and away from infected people. Malware authors are also taking advantage of this situation. Previously on the Android Playstore, there were many applications present which claimed that they could provide Coronavirus tracking information. But Google has set up some rules for these types of applications and have considered these under the ‘Sensitive events’ category. According to policies from this rule, Google proactively removed many applications from Playstore to stop malware authors to take advantage of this situation.
But malware authors have used another way to enter into the user’s phone. They are using their sites to publish malicious apps developed by hackers themselves. There is a website named ‘coronavirusapp[.]site’ —on this website, an Android application is hosted which claims to get real-time info about Coronavirus patients. The application claims that it will give notification to the user if a Coronavirus patient is present in the vicinity.
Fig. 1 – Site snapshot
But in reality, this app is ransomware —it locks the user’s android device and asks for a ransom.
Technical Analysis of the App:
After launch, this application asks to ignore battery optimization so it can run in the background.
Fig. 2 – Asking for Battery optimization
After getting this permission it starts its malicious activity where it asks for accessibility permission —accessibility was introduced in Android to assist physically impaired users. Accessibility service has access to sensitive information such as the information about running applications on the phone. Attackers can misuse this data. The App’s next step is to ask for device admin permission. Device administrator enabled app can enforce security policies, password policies being one of them. Malware authors can use this permission to take control of the device.
Fig. 3 – Activities asking for device admin permission and accessibility
After granting permissions, when the user clicks on ‘scan area for coronavirus’, the app calls upon the onhideapp() method which further checkmarks all required permissions. If all permissions are given by the user, it hides its icon from the application drawer.
Fig. 4 – Code to hide the application icon
How does this malware lock the phone?
Fig. 5 – Phone locking flow
Below are the events which occur to lock User’s device:
- Due to accessibility permission malware can get all accessibility events. In the above code snippet (block 1) we can see it checks accessibility event type, If this type is TYPE_WINDOW_CONTENT_CHANGED (Constant Value:2048) Or TYPE_WINDOW_STATE_CHANGED (Constant Value: 32) it calls upon the method Onblocker().
- In this method it creates a new thread (code snippet block 2) in which it calls method startblockedactivity(), which starts BlockedAppactivity. Before calling this it checks various conditions such as, if the app is hidden from the app drawer (code snippet block 3).
- Then BlockedAppactivity is started. In oncreate it sets contentview to blocked app which is the ransomware note (code snippet block 4).
Thus, whenever the user tries to open any app this activity opens not allowing the user to use the intended app.
Below is a snapshot of ransomware note activity. Where the malware author asks for 250 $ ransom. There is another variant of the app in which ransom amount is 100 $. There is a button ‘Web designius’. —when a user clicks on this button it redirects to Pastebin page where malware author has given instructions to unlock the phone.
Fig. 6 – a variant of coronavirus tracker ransomware with 250 $ ransom note
Fig. 7 – a variant of coronavirus tracker ransomware with 100 $ ransom note
Malware author has written pin verification code in the same activity. The BlockedAppactivity has a function named verifyPin() which checks input code to hardcoded key ‘4865083501’. By entering this key user can unlock his phone.
Fig. 8 – Pin verification code
There are many sites which are offering Coronavirus tracking maps and Coronavirus related information, many of these sites ask users to install Android applications to get more info. We have analyzed one of the sites which claims to give good info but in reality, is a ransomware app. Users should not fall prey to these types of apps and sites. If they want information for their safety, they can visit the official WHO website.
Application name :
Quick Heal Mobile Security detects theses apps under detection Android.Locker.O
How to stay safe –
1. Check an app’s description before you download it.
2. Check the app developer’s name and their website.If the name sounds strange or odd, you have all the reasons to suspect it.
3. Go through the reviews and ratings of the app. But, note that these can also be faked.
4. Avoid downloading apps from third-party app stores.
5. Use a reliable mobile antivirus (like Quick Heal Total Security), that can prevent fake and malicious apps from getting installed on your phone.