As the coronavirus has been declared a pandemic, bad actors are certainly going to take advantage of the uncertainty around it to attack a large number of online users.
The Zscaler ThreatLabZ team recently came across a URL named hxxp://coronavirusapp[.]site/mobile.html, which portrays itself as a download site for an Android app that tracks the coronavirus spread across the globe. In reality, the app is Android ransomware, which locks out the victim and asks for ransom to unlock the device.
The screenshot below shows the Zscaler Cloud Behavioral Analysis report where the sample APK is flagged as malicious.
Figure 1: The Zscaler Behavioral Report for the CovidLock Ransomware
Upon further research, we found an article where security researchers from Domain Tools came across the same ransomware. As its basic details are covered in the article, we will not get into that discussion here. Instead, we'll do a technical walkthrough of the app. We will also describe an unlock routine, which can be used if you are a victim of this CovidLock ransomware.
App name: Coronavirus Tracker
Package name: com.device.security
Virus total: Not found during analysis
The app portrays itself as a Coronavirus Tracker. As soon as it starts running, it asks the user to allow it to conduct battery optimization. The ransomware does this to keep itself running in the background and to make sure that Android does not close the app to optimize battery performance.
|Figure 2: Request for battery optimization
Once the initial phase is over, the app requests access to Android's Accessibility feature. By integrating accessibility features and services, Android developers can improve the app's usability, particularly for users with disabilities. But it is common for attackers to use this functionality to keep the malware persistent.
|Figure 3: Accessibility functionality request
After the Accessibility request, the app asks for administrator privileges, which should raise a red flag for some users. To gain these rights, the app tries to trick the victim by stating that if the admin rights are activated, then the app can notify the user when a coronavirus patient is nearby.
|Figure 4: Admin rights request
Once admin rights are achieved by the app, the attack is launched. As soon as the victim clicks on "Scan Area For Coronavirus," the phone locks itself with a message on the locked screen. It asks for $250 as ransom in the form of bitcoins. Failure to do so, according to the attacker, can lead to the leaking of the victim's private data, including photos, videos, and more. The message can be seen in the screenshot below.
|Figure 5: The ransomware message on the locked device.
The screenshot below shows the steps that need to be performed by the victim to pay the ransom and unlock the device. It also shows the bitcoin address and email ID of the attacker. We are keeping on eye on this and will post updates in the near future.
|Figure 6: Ransomware payment details
We decided to take a look at the encryption protocol used by the attacker to encrypt the files so that we could figure out ways to decrypt the files, if possible. To our surprise, the app turned out to be implementing very vague functionalities and, in reality, the app was not encrypting anything.
Looking at the AndroidManifest.xml file, we confirmed that the ransomware does not use the internet at all and also no traces of internet permissions were found during runtime. This leads us to two conclusions:
- The message on the hacked device screen stating that all the personal data is stolen and sent to the attacker is totally false.
- If there is no direct communication encryption protocol used, then there has to be an even simpler way to unlock the device.
The second conclusion led us to the unlocking functionality where we found the hard-coded pin to unlock the device. If you are the victim of this ransomware, then use 4865083501 to unlock the device.
The screenshot below shows the verifyPin functionality.
|Figure 7: The manual unlocking routine.
Just unlocking the device does not complete the task from the victim's side. We also noticed that the app was hiding in the entire process. The screenshot below shows the hiding functionality, where the app hides the icon from the user and also deletes its activities from the Recent Apps list.
|Figure 8: The app attempting to hide.
It's crucial to remove the app from the apps list on your device. Android users can simply go to Settings to open up the application list. Coronavirus Tracker will be visible in the list as shown below.
|Figure 9: The Coronavirus Tracker in the installed apps list
The victim can easily uninstall the app. In some versions of Android, if the admin app cannot be removed directly, the user can first revoke the admin permissions and then uninstall the app. This is where the Android Accessibility functionality would be used by attackers to keep the app persistent. But we did not find any such usage in this ransomware.
The world is facing a huge crisis in the spread of the coronavirus, but attackers don't care and are always on the hunt to play on people's fears and victimize users. In such times, it's always advised to take the utmost care while surfing online. Zscaler customers are safe from such frauds, and we always advise everyone to follow basic precautions:
- Only install apps from official stores, such as Google Play.
- Never click on unknown links received through ads, SMS messages, emails, or the like.
- Never trust apps with claims that seem unrealistic. (There is no such technology yet invented which informs a user whether a coronavirus patient is around us.)
- Always keep the Unknown Sources option disabled in the Android device. This disallows apps to be installed on your device from unknown sources.