Coronavirus Tracking App is Actually Phone-Locking Ransomware

As the coronavirus panic intensifies, it’s only natural for people to become desperate to learn if anyone in their immediate area has contracted the disease. It’s just as natural for them to welcome an app that promises to keep them updated on the latest COVID-19 news. And that’s exactly what the COVID-19 Tracker promises.

tracker

In addition, your phone will receive “Instant Notification when a Coronavirus Patient is Near You,” Let’s face it, wouldn’t you like to know if that guy in front of you in line is a coronavirus victim?

Any doubts you may have about the app may diminish when you see that it is approved by the following agencies.

certified

The website claims that it is the number one app for such information in 100 countries. It also claims that it has had over 6 million reviews and has achieved a 4.4 rating.

All that aside, you may still doubt the authenticity of the app. However, you know that you should hover the cursor over the “Download APK” link to see where the link actually goes. This information will be seen in the lower, left hand corner of the screen. When you do this, you will see that the exact destination is hidden in a bitly URL.

download

If, in the end, you decide to install the app, you will be asked for the following permissions.

permissions

For some reason, you are told that the app will only work if you activate lock screen.

activate

You also need to grant the app permissions.

enable app

Performing these actions will allow the attackers to take control of your device and change its lock screen password.

When they get control of your phone, they will send you one of two possible ransom messages. Here is one of them.

ransom

The Bad News

The bad news is that this attack looks like it’s still in the beta stage. According to an updated article on DomainTools, no one has paid any ransom yet, and it looks as if the attacker(s) may be in the process of setting all of this up. Sadly, all of the forensic information on this attack can be used as feedback by the hacker to repair any flaws before it is seriously launched.

The attacker will often offer the malicious app through links on legitimate sites that have been compromised. The first malicious link was inserted on this legitimate site which offered a United States Coronavirus (COVID-19) Tracker.

map

The link appeared in this banner ad, which has since been removed.

malicious link

The information on the site, itself, is real, but be careful of any links on third party sites concerning coronavirus apps. And the number of coronavirus-related sites are growing at an alarming rate.

Capture

The Good News

Both Microsoft and Google will be offering their own tracking apps soon. Download them directly from their app stores. Beware of third party sites using these company icons or their app icons to promote fake covid 19 tracking apps.

Although we know that no one has yet paid a ransom, as the attackers compromise more sites and fine-tune their attack, their success rate will probably increase. Keep in mind that ransomware can be easily renamed. Any screen locking ransomware could come from the same source despite what name it is given. Use a screen lock password.

If you are attacked with an exact copy of this ransomware, the unlock code is 4865083501. It didn’t look like the developers tried to hide it very well and I’d expect future versions will not be as easy to decrypt.

There has recently been a tsunami of apps trying to take advantage of the coronavirus pandemic. Sadly, they are getting better and better every day. I will try to keep everyone updated on the more well-designed exploits that come along.

One thought on “Coronavirus Tracking App is Actually Phone-Locking Ransomware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s