COVID-19 and SPYMax on Android APPs

    Cyber criminals are taking full
advantage of the COVID-19 pandemic and increased
communications surrounding it by installing spyware via apps to end-users’
mobile devices. The spyware being utilized is a commercial version called SpyMax, which can be acquired by anyone
with an internet connection and a credit

    Kristin Del Rosso, a researcher with mobile cybersecurity firm Lookout,
has associated the malware with over 30 rogue Android applications to date.
The re- searchers have not yet
associated the various corrupt apps with any
nationstate backed
actors but do note that the “use of these commercial surveillance- ware
families has been observed in the past as part of the tooling used by nationstates in the Middle East.”

    One of the
latest apps taking advantage of the COVID-19 crisis is titled “corona live 1.1”
which is a trojanized version of the legitimate “corona live” application that provides
an interface to the data at the Johns Hopkins
Corona Virus tracker such as infection rates and deaths
caused by the virus. Under the hood, the malicious app is utilizing the
commercial SpyMax application which
has typical spyware capabilities. The SpyMax
tool is capable of accessing files, call logs, SMS messages, contact lists,
location tracking, opening up a shell for the execution of further commands,
listening through the microphone, and watching through the camera.

    Researchers at
Lookout tracked down the command and control server for the app and pivoted
from there to find 30 other unique apps that all share the same infrastructure,
suggesting a much larger surveillance campaign has been in progress for some
time. The command and control domain appears to be hosted through the dynamic
DNS provider No-IP and resolves several different addresses within the same
range. The address space is operated by the Libyan Telecom and Technology
internet service provider. The researchers at Lookout also noted that these
apps were never available from the Google Playstore and that most instances are
being downloaded from third-party sites.

    Kristin Del Rosso also noted,
“This surveillance campaign highlights how in times of crisis, our innate need
to seek out information can be used against us for malicious ends. Furthermore,
the commercialization of ‘off-the-shelf’ spyware kits makes it fairly easy for
these malicious actors to spin up these bespoke campaigns almost as quickly
as a crisis like COVID-19 takes hold.”