COVID-19 is a rare opportunity for cybercriminals to exploit fear and uncertainty across the globe. Nearly every country has a response plan to the virus, and citizens are looking for guidance from their local & national governments on the best way to protect themselves and their families. Smartphones are a key technology to stay connected with loved ones and to gain access to up to date news. As COVID-19 spread, to meet this demand for information, governments worldwide have taken advantage of technology firms and partners to create COVID-19 mobile apps to provide direct access to government resources. This could be as simple as web pages detailing symptoms, to reporting hotlines and email addresses, to advanced tracking features such as detecting when a user came in contact with a person diagnosed with COVID-19, all through a mobile application.
ZeroFox Alpha Team has aggregated and analyzed dozens of nation and/or government-sponsored mobile applications on the Android platform, related to COVID-19. Some of these are official COVID-19 mobile apps, endorsed by a specific country, while others are unofficial one-off applications. In each app, Alpha Team identified a number of privacy concerns, vulnerabilities or backdoors. In this blog post, we provide a technical analysis of three applications. The first highlights a potential malicious copycat of a legitimate, government-sanctioned application, the second details the risks of an application that was built without security in the development lifecycle, and the third discusses an application that was repackaged with a backdoor and abused by cybercriminals.
Copycat CoronaApp Preys on Iranian Users
As COVID-19 began to spread in countries other than China, Iran quickly became an early hotspot. In early March, the Iranian government released an official app intended to track citizens. The app sparks a number of privacy concerns, as its primary purpose appears to be tracking individual citizens as well as harvesting personal information, rather than providing users with vital information on the virus. The official Iranian coronavirus application is available for download at an Iranian app store called CafeBazaar.
Despite this government-sanctioned app, Alpha Team identified an imposter COVID-19 mobile app for Iranian citizens. This copycat, dubbed “CoronaApp”, is available for direct download at `coronaapp[.]ir`. This unofficial download website is linked in multiple news websites, Telegram groups and social network posts. This is especially harrowing because the application is not on the Google Play store, which provides application vetting processes. Unfortunately, because the country is under sanction and most Iranians cannot access the Google Play store, they are vulnerable to unvetted COVID-19 mobile apps that some malicious developers can use to their advantage.
Alpha Team has analyzed the unofficial CoronaApp, and although no evidence of ill-intent was identified, the app does request permissions to access a user’s location, camera, internet data, system information, and write to external storage. Intrusive permissions are not necessarily an indication of something malicious, but rather, this particular collection of permissions demonstrates the likely intent of the developer to access sensitive user information. The risk of allowing these permissions is high, especially when the app has not gone through a vetting process, such as the Google Play Store provides. Although the app is supposedly built with support from the Iranian government, as seen in the screenshots below, there is no reputable evidence that this is the case.
In addition to news articles like these, the download link has been advertised on social media platforms including Instagram and in Telegram groups.
Alpha Team has assessed these news articles and social media posts with a native speaker, and could not verify the legitimacy of the claims in the news articles or the news sites themselves. Many of these news websites also claim that the app is used for informational purposes only, which contradicts the permissions requested within the app. Furthermore, the official website for this app does not use TLS for data transfer.
When a researcher reverse engineers an application, not only should they review the main app source code, but also its corresponding libraries. Just like permissions, not all libraries are inherently malicious, but given the context of the app, its user base and its permissions, these are ripe for abuse for tracking users in a malicious way. A list of highlighted functions found in the loaded library `com.distriqt` can be found in Table 1 of the appendix.
Given that the application is not hosted on an official app store, its lack of standard transport security, the permissions the app requires versus its description on the splash page and news websites, as well as the functions used in external libraries, Alpha Team assesses with HIGH confidence that this application can be abused in the future.
Unofficial application stores have long been used to circumvent the review processes put in place by official app stores. Sanctioned countries are especially vulnerable as citizens often cannot access official channels for content. When users are forced to turn towards these unmoderated sources, they are at the mercy of the application developer and the marketplace maintainer. This has heavy user privacy implications, as unofficial sources provide no guarantee that sensitive data will not be accessed by an application. COVID-19 mobile apps also highlight the importance of supply-chain security. If a threat actor gains the ability to write arbitrary code to a third party library, they could effectively infect millions of citizens who have apps installed that use these libraries.
CoronApp-Colombia Exposes the Personal Health Info of 100,000 users
CoronApp-Colombia was announced by the Colombian President to help the Colombian people with tracking symptoms related to COVID-19. As has become a trend, the app requests a similar kind of permissions as other COVID-19 mobile apps, such as coarse/fine location tracking and the ability to read phone states. CoronApp-Colombia allows the app to read contacts, but after an in-depth analysis, Alpha Team did not find anything malicious within the application itself.
The app, however, did contain a number of vulnerabilities that affect the privacy of more than 100,000 users.
The current version of CoronApp-Colombia on Google Play (1.2.9 as of 25 Mar 2020) uses Insecure Communication with the API server throughout the app workflow. Figure 5, below, shows a hardcoded value, which uses HTTP rather than a more secure method like HTTPS, for API server communications.
This API_URL is used multiple times throughout the app and makes HTTP requests to the 126.96.36.199 server, located in the US, to relay personal health information (PHI) and personally identifiable information (PII). The same URL is also hardcoded into additional API calls (seen in Figure 7), without using the API_URL.
In total, there are 55 HTTP requests that use this URL, and several of these are API payloads that contain PHI and PII.
ZeroFox Alpha Team installed the app on an Android Emulator and captured traffic going to this server with Wireshark. We successfully created a user in the app, and captured all the information (PII and PHI) over cleartext, demonstrating the ease with which an attacker could man-in-the-middle this traffic. Successfully doing so would give attackers access to the PII and PHI of any user of CoronApp-Colombia.
Note that the name, document_type (which can include passports and other registration numbers), email, password, gender, GCM_TOKEN and race are transmitted in the clear text.
Although there is something to be said about rapid response during a crisis, failure to do due diligence and review code prior to releasing it to hundreds of thousands of users puts citizens at risk. Insecure COVID-19 mobile apps such as this one put sensitive user health and personal information at risk of being compromised. In this case, where the CoronApp-Colombia API server is not located within Colombia, the government must give special consideration to information security. Citizens should demand that government-sanctioned applications be subject to security audits to protect sensitive information. Urgency should not trump a thorough code review process,
ZeroFox Alpha Team submitted this vulnerability to Colombian CERT on March 26, 2020. Colombian CERT acknowledged the vulnerability, forwarded it to the developer and the app was formally updated and the vulnerabilities fixed on March 29, 2020. The developer and Colombian CERT showed a rapid security vulnerability response, and we’d like to formally thank them for taking this seriously, swiftly and efficiently. MITRE assigned ZeroFox CVE-2020-11504 for this vulnerability.
Backdoored Regional COVID-19 Mobile Apps Target Italian Users
Many countries are experimenting with regional COVID-19 apps rather than a national application. Italy is one of these countries. Each regional application that Alpha Team collected had a number of features for tracking symptoms, to using bluetooth for detection of potentially infected victims and reporting personal health information. One application, which was released in beta testing, was recompiled with a backdoor and actively infecting victims.
In total, 12 APKs related to this campaign were found. The first thing that caught Alpha Team’s eye was the signing certificate. Although this is an Italian application, targeting Italian citizens, the signer, “Raven”, put their location as Baltimore, the home of the Baltimore Ravens, and of home city of ZeroFox.
Every app analyzed by Alpha Team used these signing certificate and issuer details. The backdoor is present when the Android app receives a BOOT_COMPLETED intent, which is sent to any COVID-19 mobile apps that have this permission enabled when the phone boots, or when the app is opened.
There are a number of redundant functions to run the backdoor. The malicious package in this specific sample, `7b8794ce2ff64a669d84f6157109b92f5ad17ac47dd330132a8e5de54d5d1afc`, uses a malicious package under `it.softmining.projects.covid19.savelifestyle.apzcp`, which 9 of the samples used.
The malicious backdoor itself can be seen under main.
The application uses a number of static assignments of reserved variable types. Line 7 declares a new variable of type a called a2 which is a byte. This is the embedded payload. When decrypted by b.a(a), an object is returned which contains the command and controlURL and a number of commands for performing additional functionalities, such as WakeLocking the device (line 9). Line 20 & 21 retrieve a decrypted string and assign it to str. The code then checks the protocol level of the string (TCP or HTTPS), then passes the resulting DataInputStream from the connection into a function called a (another overloaded function in a separate static class).
This specific function loads a new class (line 3), a random file name (line 6), a jar and a dex file (7,8) writes the file to disk then on line 23 calls the start method. This is known as dynamic class loading.
There was some level of obfuscation added to every sample, however, one forgot to obfuscate.
The actor most likely is using reverse TCP tunnels with Metasploit, generated by msfvenom and added to Softmining APK before distributing to victims.
Just as unofficial application sources are being exploited in Iran to promote unofficial and potentially harmful coronavirus apps, the regional applications being utilized in Italy create a greater attack surface. A greater number of government-sanctioned applications, causes users to be less certain of which COVID-19 mobile apps are legitimate. Threat actors have taken advantage of this confusion, and have released malicious applications, like this backdoored app, to prey on users who may mistakenly download the malicious app. To prevent this and protect their citizens, it is highly important that governments ensure consistency with where COVID-19 mobile apps are able to be downloaded, and even with their appearance.
The coronavirus pandemic demonstrates a new trend in government and nation-sponsored COVID-19 mobile apps. If this is the new norm, then there is a massive amount of risk that everyday citizens inherit if these applications are not properly vetted and distributed. Unofficial download sources and app stores put users at risk by making it possible for users to download applications that are not vetted by a trusted third party, such as an app store. This lack of vetting process can provide malicious developers to create applications with backdoors to access sensitive information user’s phone, without the user being aware of the risk. While rapidly developed applications are useful to help meet demand for information in a time of crisis, failure to properly audit these apps prior to their release puts users at risk, and in Colombia’s case, over 100,000 people had the vulnerable application installed. Confusion surrounding official information channels, like in the case of Italy where there are many sanctioned applications, also puts users at increased risk of falling victim to unofficial applications like the backdoored one Alpha Team identified. Government agencies owe it to their citizens to ensure the thorough review of any sanctioned application, as well as clear information about where to download official apps, or they are putting their citizen’s privacy at risk.
Indicators of Compromise
CoronaApp, Targeting Iranian Users
7b9bb74afee6ad86d14d6e9b12421a745915ccbc5a09b399415afe5ecc7bcdc9 coronaapp2.apk 6c94071da2c2510698ed9ce6bd2877f00930014a075f776cbfe4b23623d7aa6d coronaapp3.apk 49fb82b0f9802290c7fb1c93b59649d30b8baf6e73c102f0ce1e226147ae4c51 coronagame.apk
Table 1. Highlighted CoronaApp[.]ir Functions
|getPackageName : Return the name of this application’s package.|
getActiveNetworkInfo : Returns details about the currently active default data network.
getAllNetworkInfo : Returns connection status information about all network types supported by the device.
getAltitude : Get the altitude if available, in meters above the WGS 84 reference ellipsoid.
getApplicationRestrictions : Retrieves the application restrictions for a given target application running in the calling user.
getConnectionInfo : Return dynamic information about the current Wi-Fi connection, if any is active.
getDetailedState : Reports the current fine-grained state of the network.
getDeviceId : Returns the unique device ID, for example, the IMEI for GSM and the MEID or ESN for CDMA phones.
getDisplayCountry : Returns the name of this locale’s country, localized to locale.
getDisplayLanguage : Returns the name of this locale’s language, localized to locale.
getInetAddresses : Convenience method to return an Enumeration with all or a subset of the InetAddresses bound to this network interface.
getIpAddress : Get IP address.
getLastKnownLocation : Returns a Location indicating the data from the last known location fix obtained from the given provider.
getLatitude : Get the latitude, in degrees.
getLine1Number : Returns the phone number string for line 1, for example, the MSISDN for a GSM phone.
getLongitude : Get the longitude, in degrees.
getMacAddress : Get MAC address.
getNetworkInfo : Returns connection status information about all network types supported by the device.
getRunningAppProcesses : Returns a list of application processes that are running on the device.
getRunningTasks : Return a list of the tasks that are currently running.
getSpeed : Get the speed if it is available, in meters/second over ground.
Command and Control Servers