All manner of malware targeting Google’s Android operating system has emerged with COVID-19 themes. … [+]
SOPA Images/LightRocket via Getty Images
Would the Syrian government exploit the COVID-19 crisis to spy on the nation’s already beleaguered population? That’s the suspicion of researchers at cybersecurity company Lookout, which discovered spyware that could snoop on Google Android users through their phone cameras and microphones, whilst secretly grabbing other personal data from the device.
The Android app uncovered by Lookout’s Kristin Del Rosso was simply called Covid19. Though it’s unclear how the app is being disseminated to targets (it’s not via the official Google Play store), it appears to be aimed at Syrians, given the language and the location of the app’s infrastructure. Though Syria has few confirmed cases, concerns have been raised about purposeful misreporting and the potential for a calamitous impact on a nation already torn apart by civil war.
How the app works and where it came from
Prior to installation of the spyware, the user is asked to download what promises to be a digital thermometer. But it’s a fake. When the user holds down their finger on the screen they’re always informed that their body temperature is 35oC. Meanwhile, a malware known as AndoServer secretly spies on the victim.
Del Rosso told Forbes there was a “high probability” the app was the work of the infamous Syrian Electronic Army (SEA), a state-sponsored, pro-Assad hacking group. The SEA became infamous in the mid-2010s for hacking into the social media accounts of notable organizations and individuals. One of their victims was Forbes and some of its alleged members made the FBI Most Wanted list.
The COVID-19 associated app code contained “unintentional traces” of a persona dubbed Allosh, who was associated with a previous hacking campaign carried out by the crew, Del Rosso found.
She had another link back to the Syrian regime. The computers and servers used to host the application were controlled by Tarassul Internet Service Provider, an ISP owned by the state-owned Syrian Telecommunications Establishment (STE). Malicious Android WhatsApp updates previously associated with the SEA were also run from IP addresses belonging to STE.
Del Rosso discovered similar coronavirus-themed Android malware last month that appeared to be the work of hackers in Libya.
What to do
For the average user outside of Syria, the Android malware, which works on Google’s operating system from Gingerbread (2.3.3) up to the latest version, shouldn’t pose much of a threat. But they’ll want to be careful where they’re downloading apps from. “We have not seen the applications in any official app stores, but in the past, this actor has created their own watering hole sites imitating sites of official applications for download, and offered a link to the malware. It is also possible targets could be lured by links sent via SMS,” warned Del Rosso.
Sticking with Google Play, where non-official COVID-19 apps have been banned, is a much safer choice for downloading any app, not just those related to the pandemic.
Forbes has been keeping an eye on all the coronavirus-themed online threats out there, which you can find here.