Beginning in early March 2020, a malicious domain (coronavirusapp[.]site) has been promoting a real-time coronavirus-outbreak tracker application. But in reality, there is no such app and the users who download this app will be infected with “CovidLock,” a file-locking ransomware.
Infection Vector of CovidLock Ransomware
A website (coronavirusapp[.]site) was registered on March 8, 2020, and it has been found to be luring users into downloading an Android application "Coronavirus Tracker." The app claims to help users find any nearby people infected with the coronavirus. But it is not a tracker app as promised, instead, it is a file locker malware "Covidlock." The SSL certificates of the malicious domain (coronavirusapp[.]site) is linked to another malicious domain (dating4sex[.]us) promoting and delivering the same malicious application. The malicious website is found to be registered with the name of an individual in Morocco. The malicious domain uses an iframe taken from infection2020[.]com (a website used for tracking US-based COVID-19 news). It has a small advertising banner to download malicious applications for real-time updates. A few days later, the malicious site started using resources from DoMobile, a provider of legitimate Android apps. The new site was also found to be serving the same malicious application. The malicious website redirects users to another domain dating4sex[.]us that has other malicious Android Application Packages (APKs). By looking at the WHOIS records for the domain, it was revealed that the registrant of the domain lives in Morocco. The registrant's email address is rolling8dice@gmail[.]com, which is linked with an additional 158 domains, which are now inactive. This website also serves up a pornography Android application named as "EroFlix." All this info suggests that attackers behind that malware campaign were using domains for a different purpose, but after the coronavirus epidemic, they changed their approach to start taking advantage of it.
CovidLock is Android ransomware that performs a lock-screen attack against its victims. The malicious APK has two main components: the bytecode and the resources. The malware monitors the BOOT_COMPLETED broadcast to make sure the application will be activated upon the device start-up to achieve its persistence. The application also requests access to the permission: BIND_DEVICE_ADMIN. Once a user provides the requested permission, it is used to gain full control of the device. The authors of this malware try to lure victims by asking if they want to enable the application in Accessibility to regularly monitor COVID-19 stats, and find out if there are any COVID-19 patients in their area. The malware also tries to find out if the user is running as an administrator and if not, it will try to request permission to do so. It does not make any significant DNS requests until the infection process reaches a particular interaction stage with the victim. After arriving on that stage, it communicates with a 'bit.ly' shortened URL. The URL is a redirection to a Pastebin site, storing the first ransom note. The Pastebin site also has info about attackers' Bitcoin wallet ID. By using Pastebin to store the ransom, the Bitcoin wallet ID helps attackers to change wallet addresses at any time. The authors of this malware also did not implement any obfuscation for the application's source code.
What to Do?
With an increase in coronavirus-related cyber attacks and scams, users should pay more attention to any fake news or apps related to COVID-19, and follow basic security practices. Android users should follow necessary precautions, such as installing applications only from official stores, like Google Play. Always keep the “Unknown Sources” feature disabled in the Android device to stay protected. Do not click on unknown links received via SMS, emails, or the like, and do not trust any app that seems unrealistic (like this app that claimed to locate any nearby COVID-19 patients). Install a reliable antivirus application in the smartphone to detect or stop any malicious application, before it does any damage.
While globally doctors are busy helping people fight against COVID-19, cybercriminals are busy taking advantage of this epidemic to fulfill their malicious intent. They are now targeting smartphone users to get the ransom and are able to do it flawlessly because people are afraid of COVID-19 and desperate to protect themselves from it. Now it becomes even more important to practice caution while browsing online and follow security practices.
Indicators of Compromise
URL - Ransomware Note 1
URL - Ransomware Note 2