COVID-19 is one of the worst public health crisis ever faced by humans since the 1918 flu pandemic.
Governments around the world launched their own version of mobile apps to help their citizens track symptoms and virus infections. However, security researchers at ZeroFOX Alpha Team uncovered various privacy concerns and security vulnerabilities —including backdoors with these apps.
The Iranian government released an Android app called AC19 on the Iranian app store known as CafeBazaar. The app claimed that it can detect whether or not people are infected by the virus and was released by the Ministry of Health. It was to take advantage of the confusion and fear gripping many parts of Iran about COVID-19 to boost Tehran surveillance capabilities.
When Iranian users downloaded the app, they are prompted to verify their phone number despite the fact that the government has access to all phone numbers via its control of the country’s cell providers. Once users provided their phone number, they are prompted to give the app permission to send precise location data to the government servers.
In addition, there is a copycat app called CoronaApp created by threat actors that is available for direct download by Iranian citizens rather than via the Google Play Store. As a result, the app is not subjected to the normal vetting process that might protect these users from malicious intentions. However, many citizens in Iran cannot access the official Google Play store due to sanctions, so they are more likely to download the unvetted apps.
Once installed, the CoronaApp does request for permission to access the user’s location, camera, internet data and system information, and to write to external storage. It is this particular combination of permissions requested that demonstrates the developer intent to access sensitive user information.
Separately, the Colombian government released mobile app called CoronaApp-Colombia on Google Play store to help people track potential COVID-19 symptoms in March 2020. However, ZeroFOX researchers discovered that the app included vulnerabilities relating to how it communicates over HTTP, affecting the privacy of more than 100,000 users.
As of March 25, the app with version number 1.2.9 communicates insecurely with the API server throughout the app workflow. Specifically, it uses HTTP instead of HTTPS or other more secure protocol for server communications. By making these insecure server calls to relay users’ personal data, CoronApp-Columbia could put sensitive user health and personal information at risk of being compromised.
But there is a shred of good news. The Columbian CERT fixed the vulnerabilities three days later after ZeroFOX Alpha Team submitted the vulnerability, listed as CVE-2018-11504 on MITRE, to them on March 26.
Last but not least, the Italian government created region-specific apps for tracking coronavirus symptoms as the country is one of the places that the COVID-19 pandemic has hit the worst.
As a result of the greater number of government-sanctioned apps, users are less certain of which COVID-19 mobile apps are legitimate.
Threat actors are taking advantage of this confusion, and inconsistency in the apps releases and availability to launch malicious copycats that contains backdoors.
ZeroFox Alpha Team found 12 android application packages related to the attack campaign. 11 of these packages were found to use various methods of obfuscation.
The first app analysed by Alpha Team was discovered to use a signing certificate where the signer was “Raven” with a location in Baltimore, likely a reference to the Baltimore Ravens NFL team. Furthermore, every other app analysed by the team used these signing certificate and issuer details.
The backdoor is activated when the Android app receives a BOOT_COMPLETED event when the boots, or when the app is opened.
The researchers advised governments with COVID-19 related apps or those thinking about releasing new ones to ensure the consistency in where the apps can be downloaded as well as in their appearance to help avoid the spread of malicious doppelgängers. Exercising due diligence during the development process will help secure the app and avoid putting citizens at further privacy risks.