Cyber criminals are taking full advantage of the COVID-19 pandemic and increased communications surrounding it by installing spyware via apps to end-users’ mobile devices. The spyware being utilized is a commercial version called SpyMax, which can be acquired by anyone with an internet connection and a credit card.
Kristin Del Rosso, a researcher with mobile cybersecurity firm Lookout, has associated the malware with over 30 rogue Android applications to date. The re- searchers have not yet associated the various corrupt apps with any nationstate backed actors but do note that the “use of these commercial surveillance- ware families has been observed in the past as part of the tooling used by nationstates in the Middle East.”
One of the latest apps taking advantage of the COVID-19 crisis is titled “corona live 1.1” which is a trojanized version of the legitimate “corona live” application that provides an interface to the data at the Johns Hopkins Corona Virus tracker such as infection rates and deaths caused by the virus. Under the hood, the malicious app is utilizing the commercial SpyMax application which has typical spyware capabilities. The SpyMax tool is capable of accessing files, call logs, SMS messages, contact lists, location tracking, opening up a shell for the execution of further commands, listening through the microphone, and watching through the camera.
Researchers at Lookout tracked down the command and control server for the app and pivoted from there to find 30 other unique apps that all share the same infrastructure, suggesting a much larger surveillance campaign has been in progress for some time. The command and control domain appears to be hosted through the dynamic DNS provider No-IP and resolves several different addresses within the same range. The address space is operated by the Libyan Telecom and Technology internet service provider. The researchers at Lookout also noted that these apps were never available from the Google Playstore and that most instances are being downloaded from third-party sites.
Kristin Del Rosso also noted, “This surveillance campaign highlights how in times of crisis, our innate need to seek out information can be used against us for malicious ends. Furthermore, the commercialization of ‘off-the-shelf’ spyware kits makes it fairly easy for these malicious actors to spin up these bespoke campaigns almost as quickly as a crisis like COVID-19 takes hold.”