Malicious Android App Offering Coronavirus Safety Masks Acts as a Carrier for SMS Trojan

From the moment Coronavirus became a threat on a global scale, there's been an abundance of COVID-19-related scams. Malicious online maps that keep you up-to-date with the global situation, spam email campaigns claiming to be sent from official organizations, threats named after the Coronavirus strain, bogus antivirus software that supposedly has the ability to protect the user from the real COVID-19 infection, the list goes on and on. Now it seems that crooks have taken a different approach. They've turned medical deficiencies into a weapon for spreading malware. The result? A dubious app that promises protective masks, when in reality, all it does is infect your device with a nasty Trojan.

Global shortage of protective gear makes people more prone to scams

Because of the rapid speed this virus spreads, hospitals around the world experience the same problem - there's a shortage of vital supplies like medicine, equipment, and protective gear. This deficiency is due to many reasons. Mass panic causes people to overstock not only on a large amount of food but with medicine as well. These irrational actions made a negative impact on Healthcare in every country. Medical workers are forced to put their lives at risk because there's not enough protective gowns, face masks, eye gear, etc. Even before the WHO declared the COVID-19 strain a global pandemic, people were quick to get their hands on as many masks and antibacterial products as they can, causing an alarming deficiency.

Unfortunately, this deficit has opened the Pandora box. Cyber criminals are known to use popular events to their advantage when preparing their malicious attacks, so if you thought that they would draw the line at something as immoral as exploiting a pandemic for malicious purposes, you should think again. Because the need for safety masks is dire, people are desperately searching for a way to acquire them. That's where hackers start scheming. According to a discovery made by Zscaler, attackers have come up with a rogue application for Android users that offers a way to buy the sought after protective gear.

Malicious Android app gains access to phone contacts as a smart move to reach more victims

"Get safety from corona virus by using Face mask, click on this link download the app and order your own face mask – htxp://coronasafetymask(.)tk."

It all starts with a simple text like the one above. If you take the bait and click on the link, you'll be redirected to a web portal, where you'll be prompted to download the application. The thing is, you won't be downloading a useful app. In fact, the application is just a carrier for a nasty worm that wants to infect your Android OS. Once installed, the worm will obtain your contact list and text them the same message without your knowledge. That's how the infection can reach a maximum number of people in a short period.

Sadly, the victim is the one that gives access to such private information. Unknowingly, of course. Or is it? When you open the rogue application, you'll be urged to provide it with access to your contacts and allow it to send and view SMS messages (Fig.1). Users typically don't give a second thought when giving permissions of such kind, so the victim will have no other option but to allow both requests if they want to obtain the safety mask they so desire. In reality, all they'll get is a costly SMS Trojan raging on their Android device.

Figure 1: Image shows in-app pop-up messages requesting permissions from the user. Source: Zscaler

Your contacts will be more likely to believe the message if you're the sender. Here's where it gets nasty. For each text the worm sends from your phone, you'll be charged what your carrier usually charges you for a single text. The more contacts you have, the higher your bill will get. And if you have contacts that live abroad, you'll be charged extra.

The app may change tactics in the future and ask users to pay online to get a safety mask

Zscaler researcher Shivang Desai reports that in the future, we could see changes in the app's behavior: “There's the threat that the malware could ask the victim to pay online for the mask and steal the credit card information." He also adds that while his team didn't find such functionality in the application, they believe that “the app is in its early stages and this (and other) functionalities will be added as the app is updated.”