It’s been more than one year since people around the world were forced into technology, whether they liked it or not. Governments, healthcare providers, restaurants and the rest have flooded users with applications to help them safely get in touch with the outside world.
In this context, cybercriminals have rapidly adapted their strategy to capitalize on this newly opened market and trick victims into installing malicious apps on their Android phones. Bitdefender researchers have found multiple apps taking advantage of mobile users looking for information about the vaccines or seeking an appointment to get the jab. We expected this phenomenon after spotting a campaign a year ago when COVID-19 had just struck and users were restlessly looking for information.
Campaigns using COVID-19 vaccines as a pretext to deploy malware are a global problem, and they range from annoying but seemingly innocuous apps packed with adware to fully fledged Banker Trojans ready to take over the device after just a few taps.
One of Android’s main strengths, and weaknesses at the same time, is the user’s ability to sideload apps. This feature lets people load apps that are not available in the official store. Unfortunately, it also means many users unintentionally load malware from third party-stores or locations.
While this is a serious problem, the malware-ridden apps we’ve found are not limited to third-party locations. Some are still available through Google Play, despite Google’s efforts to weed out malicious apps during the developers’ uploading process.
Hydra Bankers
Two of the samples we’ve identified are part of the infamous Hydra trojan family. Historically, Hydra targeted Turkish users , but lately it has been extending its reach. This time its chosen victims are from Chile and other Spanish-speaking countries.
APK MD5 | af2e61a6778c3a3a1001f87ea9c96e80 | 56d07c9e9747c63ad8ee03a46fc5d26d |
Icon | ||
Package name | uniform.despair.grass | ball.ridge.fly |
CnC | shabukenkeinside.com | |
Distributed as | Vacuna_COVID19_Chile.apk | |
Application name | Vacuna Covid-19 Chile | |
Translated Label | Vaccine Covid-19 Chile | |
Translated Icon | Ministry of Health, Government of Chile |
Both applications try to pass themselves off as a Coronavirus vaccine app for users based in Chile, and their behavior is very similar. One of the versions has been mentioned before on Twitter.
Users were able to download the apps from the following domains. Both domains resolved IP belongs to a web hosting provider from Malaysia. . As of the moment of writing, the domains have stopped serving the malware.
Distribution Point | IP | Registration Date | Expiration Date |
Miinsaludgovcovacunacovid[.]com | 111.90.145.231 | 12.02.2021 | 12.02.2022 |
miinsalud-gov-cl-vacuna-cvid19[.]com | 111.90.145.231 | 15.02.2021 | 15.02.2022 |
Once the victims open the app, they try to lure them into activating the Accessibility permission for the app. If the user accepts, the application moves on to giving itself all the permission it requires, hides its launcher, and sends a premium SMS message. The premium SMS role is likely simple — to verify whether the malicious apps have acquired the necessary permissions.
The Accessibility permissions let the apps inspect the window’s content and collect data such as credit card numbers, passwords and more. From there, it’s only a matter of time before the user’s banking data is leaked.
The user can’t disable the Accessibility permissions or uninstall the app, since the app automatically redirects them to the home screen.
The samples we collected show zip file dates of 2021.02.12 and 2021.02.15, respectively. It seems their corresponding distribution points were registered the day they were built. Although these timestamps are no guarantee of an exact build time, they hint at the beginning of the attack.
The way criminals distribute this malware shows that they target Spanish speakers. Also, malicious Banker Trojans usually come with a list of banking applications they are targeting. All targets of the 30 different apps are financial applications with mainly Spanish speaking users (readers can see the complete list of applications in the Indicators of Compromise section).
Our telemetry readings show that the threat is currently active, predominantly in Spain. We detect this threat as Android.Trojan.Banker.RY.
Cerberus Bankers
The other banker family we have found taking advantage of the coronavirus vaccine is the well-known Cerberus malware-as-a-service. One of the apps shows a zip file date of 26.01.2021. It didn’t take these malware actors too long to jump on the Coronavirus vaccine bandwagon.
APK MD5 | 0da756d28cead23b2c0e09573b2467ee | 53550f69f2eecd26910fead5748e094b |
Icon | ||
Package name | com.aivjutzyceew.jgiriaeg | com.lgiueovx.xlfhh |
Distributed as | Asi_Sorgu.apk | Asi_Takip_Sistemi.apk |
Application name | AşıSorgu | AşıTakipSistemi |
Translated Label | Vaccine Query | Vaccine Tracking System |
CnC | 193.37.212.151 | mohabmnho.surf |
The malware attempts to spoof known legitimate Turkish healthcare apps that can be currently found on Google Play. For example, the ATS AşıUygulama (icon to the right).
The Cerberus family has been largely documented and, behavior-wise, these applications stick to the pattern.
After the user’s first tap to open the app, the apps will request the Accessibility permissions until the user grants them. The apps will keep popping up and display ‘toast messages’ until the user caves in and accepts the request. Toast messages are small snippets of text displayed on the screen. Once the victims grant the malware the requested Accessibility permissions, the apps hide their launcher and proceed to take over the device.
Both samples found target Turkey, as inferred from the application name:
We detect this threat as Android.Trojan.Banker.UI.
Repackaged adware
Many legitimate informational apps regarding the coronavirus vaccine have appeared in the last couple of months. Vaccinum is one of them. It was initially an application meant to provide users with advanced statistics on the vaccination status on a national and global level. However, its initial purpose made it a perfect target for malware creators.
The original application was available on Google Play for a while before the app store’s Covid-19 related regulations [6] required its developers to take it down. Currently, if users visit the app’s official website, they will find the following message:
While Google Play has legitimate reasons to add restrictions to Covid-19-related applications, deleting apps may lead some users to turn to other third-party Android application markets that tend to be more lenient when it comes to unwanted content.
This is where we find a new version of Vaccinum. While this version is the same as the original app functionality-wise, it comes repackaged with adware.
Code of last known original (clean) version | Code of repackaged version with ads 93d7b7ba67c51d60a616fad011da0110 |
Every time a user opens the modified app, a pop-up appears after a couple of seconds with an advertisement and a request from a site to send notifications to the device. The ad also has a “SKIP AD” button that does nothing despite its name. It simply opens a different ad in the browser. The host site requests to send notifications, after which the website attempts to scam the user.
In this example, the website tries to persuade the victim to send a text message to a short code.
We detect this threat as Android.Adware.Agent.BMI.
Co-Win Adware
The Indian government launched a COVID-19 vaccine tracking and registration platform, Co-Win, on March 1, 2021. Reports of malware imitating Co-Win and of bad actors copying other Indian healthcare apps quickly emerged. Adware and fake applications immediately followed. The Indian government issued a warning in this regard.
Despite the official warning, we have observed more adware arriving in the official Google Play store. Google has been trying to vet all vaccination-related applications properly, but some fell through the cracks.
An application named “Guide for Co-Win India App – Made In India” (with a package name of register.guidefor.cowin20), that also takes advantage of India’s Covid vaccine registration system, Co-Win, is the perfect example of an app that shouldn’t exist in the official store.
Our systems indicate that this app has been active on Google Play since the middle of January, at least. The app attempts to provide information on how to use the Co-Win system. However, the app bombards its users with advertisements.
This application comes with a disclaimer: “This app is not official app of any government entity or government sites or government program” but that offers no relief to the reader who wishes to stay informed but instead is presented with ads.
A quick look at the app shows us the ads the users are indicating:
Google has been informed of this behavior; we advise users to avoid such applications until Google Play takes appropriate action.
We detect this threat as Android.Adware.Agent.BMF.
Conclusion
These examples are only the tip of the iceberg of vaccine-targeted apps. Malware and adware will continue to abuse people’s demand for vaccine. If there’s any lesson to be learned from this research, it’s that Android users should always be wary of apps requesting access to the Accessibility Service, as it’s the main access route for criminals into mobile devices.
We advise people to be vigilant and get any COVID-19 related information from known, proper channels and official government sources.
Indicators of Compromise
Hydra
Samples
Md5 | Package name |
af2e61a6778c3a3a1001f87ea9c96e80 | uniform.despair.grass |
56d07c9e9747c63ad8ee03a46fc5d26d | ball.ridge.fly |
Hydra targeted applications
Package name | Application name |
cl.android | Banco Falabella | CMR |
co.com.bbva.mb | BBVA Colombia |
com.bancocajasocial.geolocation | Banco Caja Social Móvil |
com.bankia.wallet | Bankia Wallet |
com.bankinter.launcher | BankinterMóvil |
com.bbva.bbvacontigo | BBVA Spain | Mobile Banking |
com.bbva.netcash | BBVA Net Cash | ES & PT |
com.cajaingenieros.android.bancamovil | Caja de Ingenieros Banca MÓVIL |
com.citibanamex.banamexmobile | CitibanamexMóvil |
com.grupoavalav1.bancamovil | AV Villas App |
com.indra.itecban.triodosbank.mobile.banki* | Triodos Bank. Banca Móvil |
com.kutxabank.android | Kutxabank |
com.mediolanum | Banco Mediolanum España |
com.rsi | ruralvía |
com.rsi.Colonya | ColonyaCaixaPollença |
com.targoes_prod.bad | TARGOBANK – Banca a distancia |
com.todo1.davivienda.mobileapp | DaviviendaMóvil |
com.todo1.mobile | Bancolombia App Personas |
es.bancosantander.apps | Santander |
es.caixagalicia.activamovil | ABANCA- Banca Móvil |
es.caixaontinyent.caixaontinyentapp | CaixaOntinyent |
es.cecabank.ealia2103appstore | UniPayUnicaja |
es.cm.android | Bankia |
es.lacaixa.mobile.android.newwapicon | CaixaBankNow |
es.liberbank.cajasturapp | Banca Digital Liberbank |
es.openbank.mobile | Openbank – bancamóvil |
es.univia.unicajamovil | UnicajaMovil |
eu.netinfo.colpatria.system | Scotiabank Colpatria |
net.veritran.becl.prod | BancoEstado |
www.ingdirect.nativeframe | ING España. Banca Móvil |
*presumably meant to be com.indra.itecban.triodosbank.mobile.banking
Domains
Domain/IP |
Shabukenkeinside[.]com |
Miinsaludgovcovacunacovid[.]com |
miinsalud-gov-cl-vacuna-cvid19[.]com |
Cerberus
Samples
MD5 | Package name |
0da756d28cead23b2c0e09573b2467ee | com.aivjutzyceew.jgiriaeg |
53550f69f2eecd26910fead5748e094b | com.lgiueovx.xlfhh |
Domains
Domain/IP |
193.37.212.151 |
Mohabmnho[.]surf |
Repackaged Adware
Samples
MD5 |
93d7b7ba67c51d60a616fad011da0110 |
Co-Win Adware
Samples
MD5 |
445095576fcd2ba8e9b67f48d19626fa |
88808208fe2a9d15a3a06782050c1f7a |
ff47e1aa47f82701bbdf4808d26c7b09 |
5e90955d01a36a6eab26ac255b6a7fba |
5599679283cbc14ac7224dde5e3ef955 |
Bitdefender Mobile Security and Antivirus detects and removes all malware associated with this attack.