CovidLock Ransomware is Here, Sending SMS To Your Contacts

With harassing conditions around the world , the attackers behind the scamming , phishing and malware attacks during this virus season have decided not to take rest and make as many victims as they can through their different techniques . As we all are well aware of some of the malicious websites and some of the apps related to Coronavirus , the attackers have found a new way to catch their victims . Recently discovered URL http://coronavirusapp[.]site/mobile.html which gives its identity as the coronavirus tracker all around the world but in reality locking the victim’s device with CovidLock ransomware to make ransom from the device has attracted attention of many online users worldwide . Following this , researchers from Zscaler ThreatLabZ have come across a new URL http://coronasafetymask.tk that asks its users to install this app in order to get a corona safety mask . This website on analysis found to contain trojan that sends SMS messages to all your contacts’ list .

ANALYSIS AND REVIEW OF THE SOURCE CODE

On the analysis by VirusTotal of this apk , 5 out of 61 virus scanning engines found this app malicious and found it delivering trojan .

When you install this app , it will ask for the permission to read your contacts and send messages on behalf of your SIM no ( a big wrong indication ) .

Permission required by the app
Source : Zscaler

As soon as you allow the permission it will ask you to press the button to get the corona mask . This button will lead you to a third party website which is responsible for selling corona mask . Though there are not any evidences , but there are chances that the third party website may be a phishing page set by the attacker  which asks you to enter your payment details which are then captured by attacker . It is predicted that as the app is in early stages and spreading slowly building its contacts , the attackers behind this app will soon make this phishing page functioning .

Action perform on pressing button
source : Zscaler

Though these are the activities which might be in your control , but the source code behind the app has some functions which are doing their work in order to spread its activity . As soon as you install the app , as evidence from the source code , the app automatically checks whether it has read your all contacts and sent SMS messages to them or not .

SMS sending function
source : zscaler

If this condition sets not true , then there is a separate function in the source code which read all your contacts and send SMS messages to them “Get safety from corona virus by using Face mask, click on this link download the app and order your own face mask – hxxp://coronasafetymask.tk ” to spread itself to as many users as it can which results in the huge carrier charges on victims’s SIM . Thus this function of automatic reading your contacts and sending messages is the embedded trojan inside this apk . A list below shows the SMS sent by the app .

Conclusion

As we all know that as this Coronavirus is spreading , the cyber attacks are increasing day by day and the attackers behind it are finding new ways in order to produce more victims as much as they can . So here are some of the precautions which you can take :

  • Do not download the apps from anywhere else from trusted source such as Google Play or App Store
  • Ensure to read and be cautious while allowing permission required by the app .
  • Do not enter any sensitive information if asked .
  • If necessary , perform the virus test for the app .