Official Government COVID-19 Apps Hide a Raft of Threats

Android apps launched for citizens in Iran, Colombia and Italy offer cyberattackers new attack vectors.

A rash of COVID-19 Android mobile apps have emerged that are aimed at helping citizens in Iran, Italy and Colombia track symptoms and virus infections. However, they’re also putting people’s privacy and the security of their data at risk, researchers have found.

Security researchers at the ZeroFOX Alpha Team have uncovered various privacy concerns and security vulnerabilities – including a backdoor in various apps. The apps are either created and endorsed by countries or invented as one-offs by threat actors to take advantage of the current pandemic, according to a blog post published Monday.

Researchers analyzed dozens of COVID-19 apps – which continue to emerge with the spread of the coronavirus, paving the way for related security threats across the globe. In the analysis, they highlighted three that pose a particular threat to citizens, citing not only potential cybercriminal activity but also simple mistakes by app developers.

In early March in Iran, one of the first places COVID-19 emerged as a serious health threat, the government released an official app, available on an Iranian app store known as CafeBazaar. The app was meant to track citizens, and it sparked privacy concerns because rather than provide vital health information, it appeared to have the sole purpose of harvesting user personal information, researchers wrote.

If the app itself wasn’t worrisome enough, threat actors also created a copycat app, dubbed CoronaApp, available online for direct download by Iranian citizens rather than via the Google Play Store, and thus not subject to the normal vetting process that might protect them from nefarious intentions. At the same time, due to sanctions, many citizens in Iran can’t access the official Google Play store, so they are more likely to download unvetted apps, the researchers pointed out.

While CoronaApp does not obviously show malicious intent, it does request permission to access a user’s location, camera, internet data and system information, and to write to external storage. This is a “particular collection of permissions [that] demonstrates the likely intent of the developer to access sensitive user information,” researchers wrote.

Moreover, app creators claim the app is built with support from the Iranian government, though screenshots of the offering do not support this claim, they added.

“Given…its lack of standard transport security, the permissions the app requires versus its description on the splash page and news websites, as well as the functions used in external libraries, Alpha Team assesses with high confidence that this application can be abused in the future,” researchers wrote.

Good Intentions Gone Wrong

In Colombia – another country that’s imposed citizen restrictions during the pandemic – the government last month released a well-intended mobile app called CoronApp-Colombia on Google Play to help people track potential COVID-19 symptoms. However, the app also included vulnerabilities in how it communicates over HTTP, which affect the privacy of more than 100,000 users, ZeroFOX researchers warned.

“The current version, 1.2.9 as of March 25, uses insecure communication with the API server throughout the app workflow,” researchers wrote. Specifically, it uses HTTP instead of the more secure HTTPS or another protocol for API server communications.

Since it’s making insecure server calls to relay users’ personal data, CoronApp-Columbia could “put sensitive user health and personal information at risk of being compromised,” researchers explained.

“This API_URL is used multiple times throughout the app and makes HTTP requests to the server, located in the U.S., to relay personal health information (PHI) and personally identifiable information (PII),” they noted. “The same URL is also hardcoded into additional API calls, without using the API_URL.”

In total, researchers observed 55 HTTP requests that use the URL, and several of these are API payloads that contain PHI and PII, they said.

One spot of good news: ZeroFOX Alpha Team submitted the vulnerability, listed on MITRE as CVE-2018-11504, to Colombian CERT on March 26, and the agency fixed the vulnerability three days later, researchers said, showing a “rapid security vulnerability response.” Users should thus update to the latest version.

Regional Danger

In Italy, one of the places the COVID-19 pandemic has hit the worst, the government has created region-specific apps for tracking coronavirus symptoms, according to Alpha Team. Threat actors are taking advantage of the inconsistency in the apps’ releases and availability to launch malicious copycats that contain backdoors.

“A greater number of government-sanctioned applications causes users to be less certain of which COVID-19 mobile apps are legitimate,” according to ZeroFox. “Threat actors have taken advantage of this confusion, and have released malicious applications, like this backdoored app, to prey on users who may mistakenly download the malicious app.”

In all, they found 12 Android application packages related to the campaign. All but one of them used various methods of obfuscation, researchers added.

They said that the signing certificate of the first malicious app that they found in this group piqued their suspicion. Though the service for Italian citizens, the signer of the app was “Raven” with a location in Baltimore, likely a reference to the Baltimore Ravens NFL team.

“Every app analyzed by Alpha Team used these signing certificate and issuer details,” researchers said.

The backdoor is activated when the Android app receives a BOOT_COMPLETED intent when the phone boots, or when the app is opened, researchers wrote.

Researchers advised governments with COVID-19-related apps or those thinking about releasing new ones to “ensure consistency with where COVID-19 mobile apps are able to be downloaded, and even with their appearance,” to help avoid the spread of malicious doppelgangers.

They also recommended due diligence during the development process to secure any government-sponsored mobile apps and avoid putting citizens at further privacy risk.

“The coronavirus pandemic demonstrates a new trend in government- and nation-sponsored COVID-19 mobile apps,” researchers wrote in the post. “If this is the new norm, then there is a massive amount of risk that everyday citizens inherit if these applications are not properly vetted and distributed.”

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles