Researchers have discovered a spike in new domains using the coronavirus or COVID-19 as part of the domain name. Their findings revealed that many of these sites are set up as scams, including ransomware, aimed specifically at Android users.
The Seattle-based DomainTools security research team, reporting their findings in a blog, discovered a domain (coronavirusapp[.]site) claiming to have a real-time coronavirus outbreak tracker.
“In reality, the app is poisoned with ransomware. This Android ransomware application, previously unseen in the wild, is titled CovidLock, because of the malware’s capabilities and its background story,” Tarik Saleh, senior security engineer and malware researcher, said. He explained CovidLock denies victims access to their phone by forcing a change in the password used to unlock the phone. Also known as a screen-lock attack, cybercriminals used it before in other Android ransomware occurrences.
For those used to hearing about ransomware directed at organizations through a business email compromise, this is a different situation. “The ransomware itself isn’t trying to collect any information on people. It’s effectively just resetting the pin code on their lock screen,” Saleh pointed out. The ransomware requests $100 in bitcoin in 48 hours on the payoff note. “It threatens to erase your contacts, pictures and videos, as well as your phone’s memory. It even claims that it will leak your social media accounts publicly.”
This is particularly disturbing for Android users, who claim more than 86% of the smartphone market, according to IDC; but tend to have lower incomes and spend less on technology than iPhone owners, according to a survey by shopping platform Slickdeals. So, a relatively small ransom and a phone lockdown is a big deal. Especially because it is hard for people to get their phones fixed right now with many shops closed. “It is a double whammy when it comes to impact,” Saleh said.
There is one important aspect of this ransomware related to the credit union world, Saleh suggested. “I come from credit unions as well. The attacker does not access (the victim’s) bank account information. However, they do have the ability to disrupt people’s financial livelihood. Really think about the impact of what losing your mobile phone means nowadays.” Saleh added they cannot do remote banking, for example. “If you are in an area, like here in Seattle, you might not be able to walk into a financial institution right now for the next couple of weeks. The impact of the individual is pretty huge here.”
DomainTools disclosed since the Android Nougat operating system rolled out, there is protection in place against this type of attack. However, it only works when there is a set password. “If you haven’t set a password on your phone to unlock the screen, you’re still vulnerable to the CovidLock ransomware,” Saleh pointed out.
In this case, the DomainTools Security Research Team, while monitoring newly registered Coronavirus and COVID labeled domain names, discovered the website luring users into downloading an Android application under the guise of a COVID-19 heat map, according to Chad Anderson, senior security researcher for DomainTools. “We look at everything from a threat-hunting and threat-research perspective, our net kind of goes everywhere.”
Analysis on the application showed that the APK (the package file format used for distribution and installation of Android apps), contained ransomware. SSL certificates of the malicious domain (coronavirusapp[.]site) linked the site to another domain (dating4sex[.]us), which is also serving the malicious application. The linked site has registration information pointing to an individual in Morocco.
“We were able to find through the SSL encryption certificate for the site, it referenced another webpage. When we went to that site, where we were able to pull an additional malicious Android application,” Anderson stated. “The secondary site spidered out to another 150 or so domains about six of which were active.”
DomainTools discovered the coronavirusapp[.]site domain originally registered on March 8, 2020 using domain privacy to obscure the registrant details, and it was hosted on Wrathost, a provider of cheap shared hosting. “For that reason, the domain is on an IP address shared with over 100 other domains not related,” Saleh said.
DomainTools reverse-engineered CovidLock’s decryption key, and released it publicly for any victims affected by this ransomware.