CovidLock Ransomware Exploits Fear Surrounding Coronavirus with a Malicious Android App

fake covid-19 app

While people are living through these trying times, doing their best to survive the global pandemic surrounding Coronavirus, cybercrooks are having a field day. Coronavirus-related malware has been popping up daily, for months now. There have been dozens of newly-crafted Trojans and ransomware threats exploiting the fear that surrounds Coronavirus, also known as COVID-19.

It's a hot topic, discussed on the news each day, talked about on social media, and you can't spend a day without hearing and reading about statements made by experts. And, despite all of that, the general public remains starved for information on the topic. People can never get enough news on Coronavirus. Unfortunately, cybercriminals are actively exploiting the pandemic to their advantage.

Cybercriminals are turning fear into their greatest ally

There are countless tricks with which cybercrooks attempt deception. They offer bogus maps that 'track the infection,' websites that 'monitor infected patients,' and so on. The list of potential trickery is long. And, so far, these tricks have proven somewhat effective. People buy into the 'tracking' and the 'monitoring' and fall prey to ill-intentions. Their hunger for information makes them vulnerable to malware.

The latest dupe, cybercriminals resort to, includes the website. Malicious individuals acclaim the site as one containing information regarding the Coronavirus. Not only that, but the page also offers services. Ones advertised as 'helpful.' Of course, they are not.

Believe the web of lies, these hackers push on you and put your faith onto the site, and you'll end up with the CovidLock ransomware on your hands. Here's how the situation unfolds.

The website is a crucial tool in leading to the installation of the ransomware. It pushes you towards installing an Android application. The site advertises the app as an integral instrument in receiving need-to-know data related to the COVID-19 pandemic. Supposedly, it tracks all the incoming updates regarding the Coronavirus outbreak – the spread, the victims, patients still in care, survivors, and so on.

What's more, it claims to push notifications to its users whenever an infected person gets in your vicinity. You might wonder, does the application manage to detect an infected individual? Well, it claims to use heat-map visuals. And, that would have been quite helpful if it were true. But it is NOT! It's all a sham. It's an attempt to get you to download ransomware so that the cybercrooks behind it can profit off of your fear and naivety. Don't let them. Don't fall victim to their treachery.

Look for information only from reliable sources – official statements by the World Health Organization (WHO) and the Center for Disease Control and Prevention (CDC). Do NOT click or open or download anything from a website that you have not verified as a reliable source! Caution is crucial if you wish to avoid trouble.

What happens if you download the 'Covid-19 tracking' app?

The page appears to show a certification from the CDC and WHO, but that doesn't make it any more trustworthy. It's a sham site that's nothing more than a conduit for a cyber infection. If you buy into the scam, and get the application, here's what you can expect to occur.

As soon as the app starts running on your device, it asks you to allow it to conduct battery optimization. Here's what that looks like:

The application's request for battery optimization. Source:

The infection makes sure you allow that feature to keep itself running in the background. To ensure that Android doesn't close the app to optimize battery performance. After you allow this feature, the application continues to make more requests. It asks for access to Android's Accessibility feature, as you can see in the image below. It does this for no other reason than to ensure its stay on your phone, in perpetuity.

The application's request for the Accessibility feature. Source:

The malicious app then follows yet another request – for administrator privileges. Even if its previous requests didn't raise a red flag or seem suspicious to you, this is the time to become suspicious! No such app should ask for administrator privileges, and you should not grant them if it does. The reason the application provides for why it needs these admin rights is that if it has them, it can send you notifications. Presumably, it can notify you when a Coronavirus patient is near you. That is a lie. The application does not do that.

The application's request for Administrative privileges. Source:

As soon as the app receives these admin rights, the attack is imminent. Once you click on 'Scan Area For Coronavirus,' it launches a CovidLock screen-lock attack. It changes your lock screen and demands payment if you wish to unlock your screen and regain control over your device.

If you comply, you receive a promise that you'll get sent a unique password. Then, as soon as you input the password, your screen gets unlocked, and you can use your phone again. That's what the cybercriminals behind the CovidLock ransomware claim.

Above all, you must acknowledge that you're dealing with malicious hackers. As you can guess, they are hardly a trustworthy type. You should note that these people can swindle you out of your money, and send nothing in return, leaving you with a locked phone. That's always an option when it comes to ransomware.

The ransomware message CovidLock displays on your screen. Source:

How much is it worth to unlock your screen, after CovidLock locks it?

The ransomware requests Bitcoin (BTC) as payment. Some users have reported a sum of $100 worth of BTC, and others $250. Whatever the amount, paying is ill-advised.
The infection even sets a deadline to incentivize you to pay up promptly. CovidLock allows you 48 hours to complete the payment. If you don't, the ransomware threatens to delete everything you keep on your phone. Pictures, videos, tracks, messages, social media accounts, contacts – all of it erased by CovidLock!

To further amp up their threats, the cyber extortionists display the following message on your screen:


The application's threats, deadline, and ransom request. Source:

Despite these atrocious threats, experts urge against payment.

Do you have to pay the CovidLock ransom to regain access to your phone? No, you don't.

Security experts have examined the ransomware's attack to determine whether its claims are true or false – does it genuinely encrypt your files, and can it delete them? These researchers have deduced that as a matter of fact, the app does NOT encrypt anything. They verified that the app does NOT use the Internet at all. That means, the message threatening that your private data got sent to the hackers, and is at their disposal, is a lie! There is NO direct communication between the hacker and their extortion tool.

Malware researchers went a step further and even reverse-engineered a password that unlocks the victim's phone, cutting out the middle-man – the unreliable malicious cybercrooks behind the extortion app.

If you've fallen victim to the CovidLock ransomware, use the following pin to unlock your phone: 4865083501.

After you input the password and unlock your phone, you must remove the app from your device's applications list ASAP. Go to Settings, open the Application list, and find the Coronavirus Tracker app. Uninstall it at once! If you experience issues with the uninstall process, be sure to revoke the admin permissions that you previously gave to the application. After you do that, uninstalling the app should be no trouble.

When it comes to apps, do your best to install them only from official sources, like Google Play. Don't click unknown links, and be wary if you receive a link from an ad, email, SMS message, and so on. That can save you a lot of headaches, energy, and time in dealing with troublesome applications. Also, don't believe promises that seem unrealistic. The claim that an app can track whether a person, infected with Coronavirus, is near you is one such claim. That type of technology does not yet exist.

March 19, 2020

Leave a Reply