16.03.2020
Mobile Coronavirus Tracking App Coughs Up Ransomware
Cybercriminals like to exploit people when they are at their most vulnerable. They use dramatic events that cause people to be emotional or fearful to drive their profits. Any time there are major news cycles happening on a topic that stirs a strong reaction, cybercriminals will not be far behind.
The Coronavirus is no different. Shortly after the first cases were confirmed, DomainTools’ researchers observed a minor uptick in domain names leveraging Coronavirus and COVID-19. These registrations have peaked significantly in the past few weeks and many of them are scams.
The security research team has continuously been monitoring these suspicious domains. The DomainTools security research team discovered a domain (coronavirusapp[.]site) that claims to have a real-time Coronavirus outbreak tracker available via an app download.
The domain prompts users to download an Android App that will give them access to a Coronavirus map tracker that appears to provide tracking and statistical information about COVID-19, including heatmap visuals. In reality, the app is poisoned with ransomware. This Android ransomware application, previously unseen in the wild, has been titled “CovidLock” because of the malware’s capabilities and its background story. CovidLock uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as a screen-lock attack and has been seen before on Android ransomware.