Contact tracing and exposure notification apps are being developed in several countries to help control outbreaks of COVID-19. The apps have already been used in several countries and have been shown to help contain local outbreaks and prevent a second major peak of infections.
Recent research conducted by the cybersecurity firm Anomali has revealed threat actors have developed fake contact tracing and exposure notification apps which are used to gain access to mobile devices. The fake contact tracing apps are designed to install malware and steal sensitive information. Several different malware variants have been installed by these apps, most commonly Anubis and SpyNote, but also a range of generic malware.
Installing a genuine COVID-19 tracing app will require permissions to be granted to the app. Similar permissions are requested by the fake apps, but granting those permissions will allow the fake app to download malware.
SpyNote for example, will give an attacker access to SMS messages, GPS location, will record calls, obtain contact information, browser histories, device information, and can exfiltrate files. Checks can be performed to identify installed apps, such as banking apps, that can be subsequently targeted. SMS messages can also be sent and exfiltrated, allowing 2FA codes to be obtained.
Anomali believes these malicious apps are being distributed using a number of different techniques, including through third-party app stores, websites, social media networks, and that they are also being installed by other applications.
The Anomali researchers have so far identified fake contact tracking apps targeting consumers in Armenia, Brazil, Columbia, India, Indonesia, Iran, Italy, Kyrgyzstan, Russia, and Singapore, but it is possible that other apps have been developed and are being used to target individuals in other countries. The fake contact tracing apps closely resemble the official apps being used in the above countries. Once installed, the apps run in the background and will not display an icon indicating the app has been launched.
It is highly likely that these attacks will spread to other countries, especially as the United States and United Kingdom launch their own apps and encourage consumers to download the apps. In the United Kingdom, the government is not mandating the use of these apps but has said that when the official app is released UK citizens have a civic duty to install the app. With the alternative being the continuation of lockdown, it is highly likely that many people will download the app as a result.
When public health departments release COVID-19 contact tracing apps it is essential for them to be only downloaded from official sources and never installed via a third-party app store or link sent via social media, email, or SMS.