Cyble-Fake_CoronApp_Android_APK_Colombia

A Deep-dive Analysis of a Fake CoronApp Targeting Android Users from Colombia

Since the onset of the pandemic, numerous threat actors (TA) have been taking advantage of the COVID-19 pandemic situation as an opportunity to launch cyberattacks. According to the Cyble Research Labs, the TAs are targeting users via a range of vectors such as phishing campaigns and ransomware attacks, etc.

During our routine Open-source Intelligence (OSINT) research, we came across a fake Android app related to COVID-19 posted by a researcher on Twitter. The post contains the digest value of the Android APK as well as the link on which the malicious file was hosted. Upon further investigation, we found that the malware is a counterfeit version of CoronApp, an official app released by the Government of Colombia for tackling the COVID-19 situation in the country.  

CoronApp is a mobile application collectively developed by the Government of Colombia and the National Institute of Health, Colombia, in order to help people deal with challenges arising out of the pandemic. It is available on the Google Play Store and the Apple App Store.  

The below figure showcases the icon of the original CoronApp being used by the TA to trick users into downloading the fake app.  

Figure 1: Original and Fake version have similar icons 

We downloaded the fake Android Package (APK) from hxxp://androidmedallo.duckdns[.]org and performed a detailed analysis on it. In addition to the fake app exhibiting the behavior of a surveillance software, we also discovered that software related to other platforms such as Windows are also hosted on the URL listed. Our investigation also indicated that the other software are also malicious. In this analysis, we will direct our focus on the counterfeit CoronApp app.  

 Upon analyzing the APK sample, we found that the malicious software functions as a Remote Access Trojan (RAT), a type of malware that provides attackers with complete remote control over the victim’s system. 

This variant of RAT application requests various dangerous permissions. Once the permissions are enabled, the malware can collect information such as call logs, contact information, and SMS data available on the infected device. We also observed that the malware takes complete control of the device using permissions such as DEVICE_ADMIN and ACCESSIBILITY.   

Technical Analysis  

The metadata information of the malicious fake app is given below:  

APK Metadata Information:  

  • App Name: Corona App  
  • Package Name: com.android.tester  
  • SHA256 Hash:  

d6cf06cd34f50317131591268d23ef266c01bf3f758893568f10204825cc3369  

Figure 2: APK File Metadata Information  

The application requests 51 permissions in the manifest file, of which 18 are dangerous as they enable the RAT to conduct surveillance activities. Some of the dangerous permissions requested by the application are shown below:   

  • android.permission.READ_CALL_LOG: Fetch call logs stored on the device.  
  • android.permission.READ_CONTACTS: Fetch contacts from the device address book. 
  • android.permission.READ_SMS: Fetch SMSes from the device.  
  • android.permission.SYSTEM_ALERT_WINDOW: This allows the application to show system-level alerts.  
  • android.permission.BIND_DEVICE_ADMIN: This allows the application to get admin-level privileges on the device.  
  • android.permission.BIND_ACCESSIBILITY_SERVICES: This allows the application to monitor the device’s screen.  
  • android.permission.RECORD_AUDIO: This allows the application to record audio using the device’s microphone.  
  • android.permission.READ_EXTERNAL_STORAGE: This allows the application to read files from the device’s external storage.  

If the user enables the afore-mentioned permissions, the malware can take complete control and collect sensitive information from the victim’s device.  

On being launched, the application requests the user to enable two extremely dangerous permissions, BIND_ACCESSIBILITY_SERVICE and BIND_DEVICE_ADMIN, as shown in Figure 3.   

Figure 2: APK File Metadata Information  

BIND_ACCESSIBILITY_SERVICE is a permission that allows the RAT to monitor the device’s screen. 

BIND_DEVICE_ADMIN is a permission that allows the fake app to get admin privileges on the device. 

As per our observations, the malware is constantly communicating with the Command and Control (C&C) server using a socket connection that acts as a medium between the application and the server. This allows the application to receive commands to perform activities on the device such as collecting information, making calls, spying using a microphone, and even formatting the device.  

The malware also leverages the BIND_DEVICE_ADMIN permission that can be used to lock the device and perform a factory reset based on the command. With this permission, the malware can reset the password with the string provided by the C&C server, as shown in Figure 4.  

Figure 4: Code used for resetting or locking the device  

The RAT application abuses ACCESSIBILITY permission to hook the device screen, which allows the malware to monitor the screen activity and perform keylogging functions.   

The code used by the RAT to perform keylogging and device screen monitoring is shown in figure 5.  

Figure 5: Code to monitor device screen using ACCESSIBILITY  

The RAT performs surveillance actions based on the commands from the C&C server. The C&C server commands are based on preset values stored in the application. Based on our code analysis, we found that the commands are received in the form of integers.  

The application collects contacts based on the C&C server command. The figure below shows the technique used by the RAT for identifying the command from the C&C server.  

Figure 6: Code to identify the commands from the C&C server  

The information collected by the malware include:   

  1. Application lists from the device   
  1. Wallpaper set on the device 
  1. GPS location of the device  
  1. Contacts from the device phone book 

The code used by the RAT to collect contacts is shown in the image below. 

Figure 7: Code to collect Contacts from the victim’s device   
  1. Call logs: The malware also has the ability to monitor outgoing and incoming calls by creating listeners.  
Figure 8: Code to collect Call Logs from device    

The listener used for the call monitoring is shown below in figure 9.  

  Figure 9: Code to collect incoming and outgoing call details    
  1. The malware can also monitor newly received SMSes, the code for which is shown below.  
Figure 10: Code to collect incoming SMS messages    
  1. The malware can also collect files from the device’s external storage, as shown in Figure 11.  
Figure 11: Code to collect files in External Storage  

The malware also has code to delete files from external storage based on the commands from C&C.    

C&C server URL: androidmedallo[.]duckdns[.]org/46.246.84[.]12:5214  

 The RAT hides its presence on the victim’s system by removing the icon from the home screen, as shown in Figure 12.  

Figure 12: Screenshot shows the app hides from user’s visibility  

We have observed that the malware uploads the wallpaper set on the victim’s device screen to the C&C server and can also spy on the victim’s surroundings using the device’s microphone.    

Figure 13 has the code to collect the device wallpaper.  

Figure 13: Code to collect the wallpaper image  

Along with these malicious activities, the malicious application has the ability to change the victim’s device wallpaper based on the commands from the C&C server. It initiates malicious activity based on device events. The RAT creates listeners for device events such as:  

  1. BOOT_COMPLETE: Event-related to device boot up.  
  1. POWER_CONNECTED & POWER_DISCONNECTED: Events based on whether there is a charger connected. 
  1. PACKAGE_ADDED, PACKAGE_DELETED, PACKAGE_INSTALLED & PACKAGE_REMOVED: Events-based on installing or removing applications from the device.  
  1. PHONE_STATE: Event-related to device’s state such as switching on/off airplane mode, receiving a call etc. 

Conclusion  

 The analysis shows that the fake CoronApp can take complete control of the device.   Any infected device will be entirely under the attacker’s control. Based on the fact that the fake application has the same icon as that of the legitimate, official CoronApp from the Colombia Government, we suspect that the TA is targeting Android users from Colombia.  

The attacker can only infect the device by leveraging the sideloading feature, which is disabled by default on Android devices. Unless the user manually enables the sideloading feature, the malicious app cannot be installed into the device.  

Our Recommendations 

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:    

  1. If you find this malware in your device, uninstall it immediately.  
  1. Use the shared IoCs to monitor and block the malware infection.  
  1. Keep your anti-virus software updated to detect and remove malicious software.  
  1. Keep your system and applications updated to the latest versions.  
  1. Use strong passwords and enable two-factor authentication.  
  1. Download and install software only from registered app stores.  

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Defense Evasion T1406   
T1418    
Obfuscated Files or Information  
Application Discovery    
Discovery T1421 
T1418 
T1426 
T1424    
System Network Connections Discovery  
Application Discovery  
System Information Discovery  
Process Discovery  
Collection T1429  
T1507   
T1432  
T1430  
T1409 
T1414 
T1430    
Capture Audio  
Network Information Discovery  
Access Contact List  
Location Tracking  
Capture SMS Messages  
Access Stored Application Data  
Capture Clipboard Data  
Location Tracking 
Command and Control T1573  
T1571  
Encrypted Channel  
Non-Standard Port  
Privilege Escalation T1401  Device Administrator Permissions  

Indicators of Compromise (IoCs):   

Indicators  Indicator type  Description  
d6cf06cd34f50317131591268d23ef266c01bf3f758893568f10204825cc3369 SHA256  Sample Hash  
androidmedallo[.]duckdns[.]org:5214 URL  C&C URL  
46.246.84.12 IP  C&C Server IP  

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  

%d bloggers like this: