Fake Covid-19 tracker app delivers ransomware, disinformation abounds

As Covid-19 spreads across the globe and countries do their best to slow down the infection rate, cybercriminals’ onslaught against worried users is getting more intense by the day. The latest scheme includes a malicious Android tracker app that supposedly allows users to keep an eye on the spread of the virus, but locks victims’ phone and demands money to unlock it.

Also, as many have already discovered, the spread of potentially very dangerous disinformation is reaching massive proportions.

Ransomware disguised as Fake Covid-19 tracker app

The DomainTools security research team is warning about a discovered a malicious domain (coronavirusapp[.]site) distributing a fake Coronavirus outbreak tracker app (Covid 19 Tracker), which will purportedly provide users tracking and statistical information about Covid-19 and heatmap visuals.

Once downloaded and run, the app locks the screen of the device and shows a ransom note claiming that the phone has been encrypted and that all the contents (contacts, pictures, videos, etc.) will be erased if the victim does not pay $100 in Bitcoin in the next 48 hours.

“Since Android Nougat has rolled out, there is protection in place against this type of attack. However, it only works if you have set a password. If you haven’t set a password on your phone to unlock the screen, you’re still vulnerable to the CovidLock ransomware,” the researchers noted.

But there is good news for those who fell for the trick: the researchers have reverse engineered the decryption key and will make them public (check the update at the end of this item).

This is not the first time that cybercriminals have taken advantage of the public’s demand for Covid-19 information in the helpful form of a global map: earlier this month Malwarebytes researchers warned about a site that delivers information-stealing malware while purportedly showing users updated coronavirus cases on a global map:

Battling disinformation

Many cybersecurity companies have detected a considerable increase of coronavirus-related domains registered globally, some of which are bound to be used for phishing, malware delivery, snake oil peddling and disinformation.

The latter has become quite a problem, as fake news spreads fast through social networks.

Users are urged to check the source of each piece of information they receive and to get their information directly from official sources like the World Health Organization, which is, by the way, actively fighting the “infodemic” of fake coronavirs-themed news online.

For those who really want to see the spreading of Covid-19 in a map format, Microsoft created a web portal for tracking infections across the globe, which is based on official sources.

UPDATE (March 16, 2020, 8:35 a.m. PT):

DomainTools has published an in-depth analysis of the fake Covid 19 Tracker app (i.e., the CovidLock malware), as well as the decryption key victims can use do unblock their device/decrypt its contents: 4865083501.

“CovidLock’s author did not bother implementing any type of obfuscation of the key in the application’s source code. While it’s easy to write about how this is not sophisticated from a malware development standpoint, it’s important to note that CovidLock is still effective at its lock-screen attack,” they noted.