Since the onset of the pandemic, numerous threat actors (TA) have been taking advantage of the COVID-19 pandemic situation as an opportunity to launch cyberattacks. According to the Cyble Research Labs, the TAs are targeting users via a range of vectors such as phishing campaigns and ransomware attacks, etc.
During our routine Open-source Intelligence (OSINT) research, we came across a fake Android app related to COVID-19 posted by a researcher on Twitter. The post contains the digest value of the Android APK as well as the link on which the malicious file was hosted. Upon further investigation, we found that the malware is a counterfeit version of CoronApp, an official app released by the Government of Colombia for tackling the COVID-19 situation in the country. Â
CoronApp is a mobile application collectively developed by the Government of Colombia and the National Institute of Health, Colombia, in order to help people deal with challenges arising out of the pandemic. It is available on the Google Play Store and the Apple App Store.
The below figure showcases the icon of the original CoronApp being used by the TA to trick users into downloading the fake app.
We downloaded the fake Android Package (APK) from hxxp://androidmedallo.duckdns[.]org and performed a detailed analysis on it. In addition to the fake app exhibiting the behavior of a surveillance software, we also discovered that software related to other platforms such as Windows are also hosted on the URL listed. Our investigation also indicated that the other software are also malicious. In this analysis, we will direct our focus on the counterfeit CoronApp app.
 Upon analyzing the APK sample, we found that the malicious software functions as a Remote Access Trojan (RAT), a type of malware that provides attackers with complete remote control over the victim’s system.
This variant of RAT application requests various dangerous permissions. Once the permissions are enabled, the malware can collect information such as call logs, contact information, and SMS data available on the infected device. We also observed that the malware takes complete control of the device using permissions such as DEVICE_ADMIN and ACCESSIBILITY.  
 Technical Analysis 
The metadata information of the malicious fake app is given below: 
APK Metadata Information: 
- App Name: Corona App 
- Package Name: com.android.tester 
- SHA256 Hash: 
d6cf06cd34f50317131591268d23ef266c01bf3f758893568f10204825cc3369 
The application requests 51 permissions in the manifest file, of which 18 are dangerous as they enable the RAT to conduct surveillance activities. Some of the dangerous permissions requested by the application are shown below:  
- android.permission.READ_CALL_LOG: Fetch call logs stored on the device. 
- android.permission.READ_CONTACTS: Fetch contacts from the device address book.
- android.permission.READ_SMS: Fetch SMSes from the device. 
- android.permission.SYSTEM_ALERT_WINDOW: This allows the application to show system-level alerts. 
- android.permission.BIND_DEVICE_ADMIN: This allows the application to get admin-level privileges on the device. 
- android.permission.BIND_ACCESSIBILITY_SERVICES: This allows the application to monitor the device’s screen. 
- android.permission.RECORD_AUDIO: This allows the application to record audio using the device’s microphone. 
- android.permission.READ_EXTERNAL_STORAGE: This allows the application to read files from the device’s external storage. 
If the user enables the afore-mentioned permissions, the malware can take complete control and collect sensitive information from the victim’s device. 
On being launched, the application requests the user to enable two extremely dangerous permissions, BIND_ACCESSIBILITY_SERVICE and BIND_DEVICE_ADMIN, as shown in Figure 3.  
BIND_ACCESSIBILITY_SERVICE is a permission that allows the RAT to monitor the device’s screen.
BIND_DEVICE_ADMIN is a permission that allows the fake app to get admin privileges on the device. 
As per our observations, the malware is constantly communicating with the Command and Control (C&C) server using a socket connection that acts as a medium between the application and the server. This allows the application to receive commands to perform activities on the device such as collecting information, making calls, spying using a microphone, and even formatting the device. 
The malware also leverages the BIND_DEVICE_ADMIN permission that can be used to lock the device and perform a factory reset based on the command. With this permission, the malware can reset the password with the string provided by the C&C server, as shown in Figure 4. 
The RAT application abuses ACCESSIBILITY permission to hook the device screen, which allows the malware to monitor the screen activity and perform keylogging functions.  
The code used by the RAT to perform keylogging and device screen monitoring is shown in figure 5. 
The RAT performs surveillance actions based on the commands from the C&C server. The C&C server commands are based on preset values stored in the application. Based on our code analysis, we found that the commands are received in the form of integers. 
The application collects contacts based on the C&C server command. The figure below shows the technique used by the RAT for identifying the command from the C&C server. 
The information collected by the malware include:  
- Application lists from the device  
- Wallpaper set on the device
- GPS location of the device 
- Contacts from the device phone book
The code used by the RAT to collect contacts is shown in the image below.
- Call logs: The malware also has the ability to monitor outgoing and incoming calls by creating listeners.
The listener used for the call monitoring is shown below in figure 9. 
- The malware can also monitor newly received SMSes, the code for which is shown below.
- The malware can also collect files from the device’s external storage, as shown in Figure 11. 
The malware also has code to delete files from external storage based on the commands from C&C.   
C&C server URL: androidmedallo[.]duckdns[.]org/46.246.84[.]12:5214 
 The RAT hides its presence on the victim’s system by removing the icon from the home screen, as shown in Figure 12. 
We have observed that the malware uploads the wallpaper set on the victim’s device screen to the C&C server and can also spy on the victim’s surroundings using the device’s microphone.   
Figure 13 has the code to collect the device wallpaper. 
Along with these malicious activities, the malicious application has the ability to change the victim’s device wallpaper based on the commands from the C&C server. It initiates malicious activity based on device events. The RAT creates listeners for device events such as: 
- BOOT_COMPLETE: Event-related to device boot up. 
- POWER_CONNECTED & POWER_DISCONNECTED: Events based on whether there is a charger connected.
- PACKAGE_ADDED, PACKAGE_DELETED, PACKAGE_INSTALLED & PACKAGE_REMOVED: Events-based on installing or removing applications from the device. 
- PHONE_STATE: Event-related to device’s state such as switching on/off airplane mode, receiving a call etc.
Conclusion  
 The analysis shows that the fake CoronApp can take complete control of the device.   Any infected device will be entirely under the attacker’s control. Based on the fact that the fake application has the same icon as that of the legitimate, official CoronApp from the Colombia Government, we suspect that the TA is targeting Android users from Colombia.
The attacker can only infect the device by leveraging the sideloading feature, which is disabled by default on Android devices. Unless the user manually enables the sideloading feature, the malicious app cannot be installed into the device.
Our Recommendations 
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   
- If you find this malware in your device, uninstall it immediately. 
- Use the shared IoCs to monitor and block the malware infection. 
- Keep your anti-virus software updated to detect and remove malicious software. 
- Keep your system and applications updated to the latest versions. 
- Use strong passwords and enable two-factor authentication. 
- Download and install software only from registered app stores. 
MITRE ATT&CK® Techniques 
| Tactic  | Technique ID  | Technique Name  |
| Defense Evasion  | T1406   T1418    | Obfuscated Files or Information  Application Discovery    |
| Discovery  | T1421 T1418 T1426 T1424    | System Network Connections Discovery  Application Discovery  System Information Discovery  Process Discovery  |
| Collection  | T1429  T1507   T1432  T1430  T1409 T1414 T1430    | Capture Audio  Network Information Discovery  Access Contact List  Location Tracking  Capture SMS Messages  Access Stored Application Data  Capture Clipboard Data  Location Tracking |
| Command and Control  | T1573  T1571  | Encrypted Channel  Non-Standard Port  |
| Privilege Escalation  | T1401  | Device Administrator Permissions  |
Indicators of Compromise (IoCs):   
| Indicators  | Indicator type  | Description  |
| d6cf06cd34f50317131591268d23ef266c01bf3f758893568f10204825cc3369  | SHA256  | Sample Hash  |
| androidmedallo[.]duckdns[.]org:5214  | URL  | C&C URL  |
| 46.246.84.12  | IP  | C&C Server IP  |
 About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. 
Comments are closed.