New research conducted by Anomali Threat Research (ATR) now suggests that at least ten countries have now been targeted by fake contact tracing apps.
The regions impacted by the discovery include Armenia, India, Singapore, Colombia, Indonesia, Iran, Italy, Kyrgyzstan, Brazil, and Russia. And, in some cases, more than one app is impacting a given region. For instance, one app is imitating Arrogyasetu in India, while another one is imitating the Chhattisgarh contact tracing app. There are two separate instances for Singapore as well.
For the most part, the apps in question appear to be directly imitating government-sponsored apps. But they don’t appear to be related. Instead, this appears to be a case of opportunistic malicious behavior from multiple groups or individuals. In effect, each seems to be taking advantage of the fact that users are actively seeking contact tracing apps. That’s as opposed to the attacks being the work of any single group or individual bad actor.
Of the 12 applications that have been infecting user devices, more than half are Trojan-type infections. One of the remaining malware appears to be adware.
But four of the newly-discovered threats are built on either Anubis or Spynote. Those four, impacting India, Brazil, Russia, and Indonesia represent more serious threats.
Fake contact tracing apps are bad enough but what are Anubis and Spynote?
As noted above, Anubis and Spynote are two malware families spotted in the recent research by ATR. Those present somewhat unique threats compared to the other groups. Each serves up a particular list of functionalities. But there are some commonalities on that front.
Both can gain access to SMS Messages, Location data, and contacts but Anubis tracks “system information” while Spynote digs deep into a device’s identifying information. Both can record phone calls too. But only Spynote can make calls from the victim’s phone number and read or write both messages and contact edits. And that’s where the apps’ similarities effectively end.
Anubis can go further to create and deploy custom injections. Those are chiefly targeted at banking and social media apps for information harvesting. It also performs keylogging, accesses permissions, and creates custom overlays to steal credentials. Beyond that, Anubis’ functionality allows it to hide from the App drawer as its launched. So users won’t necessarily even know it’s there.
Spynote, conversely, can check installed apps and install new ones. It also checks the browser history and can exfiltrate files. In the latter case, that means it pushes and saves the data it’s taken off of the device. Finally, Spynote has the unique capability of accessing and capturing photos from the camera app.
Anubis was spotted in action in Brazil and in Russia. Spynote appears to be limited to Indonesia and India, specifically imitating the Arrogya Setu app, for now. In each of the cases, the malicious app imitates the government-sponsored contact tracing app.
Where are these apps coming from?
It isn’t surprising that bad actors would take advantage of a global pandemic to steal data. It’s happened before. But the exact origins of the various fake contact tracing apps aren’t known. Perhaps more concerning, it isn’t immediately clear where the apps are being downloaded either.
Typically, these types of apps come from outside of Android’s built-in app marketplace — the Google Play Store. That’s because the Play Store automatically scans for threats unless the user opts out. That’s helpful, even if the tool, called Play Protect, can’t catch every threat.
And that seems to be the case here too. Among the problem areas highlighted as likely suspects, Google’s Play Store isn’t listed by ATR. Instead, the firm believes the app has been downloaded by secondary malicious apps or sideloaded from various websites. As noted above, the apps don’t appear to be related.
It’s also possible that users are downloading the software from third-party-run app markets.