In Brief

  • COVID19 Tracker is a fake Android app that locks up the users phone and demands $100 in bitcoin as ransom.
  • Thus far, it appears no one has been taken in. But we worry.

In scary times, people naturally look for information to ease their angst. And hackers naturally look for novel ways to trick scared people. Their latest invention: "COVID19 Tracker," a phony coronavirus tracking app that claims it will expose your social media accounts and delete all your phone's storage unless you cough up $100 in bitcoin.

DomainTools's security research team discovered the duplicitous Android app while monitoring recently registered Coronavirus and COVID labeled domain names. On Friday, it released a report detailing how it works.

How "COVID19 Tracker" scams you

Normally, when one wants to download an Android app, they go to the Google Play Store. In the scam however, the app “COVID19 Tracker,” is hosted on a website, coronavirusapp[.]site.

The site lures unsuspecting victims into downloading the app, which will supposedly give them access to a coronavirus map tracker. The map appears to provide tracking and statistical information about COVID-19, including heatmap visuals.

Once the unsuspecting victim opens the mobile app, it asks for access to the user’s lock screen so it can send a notification when a coronavirus patient is lurking nearby (which is impossible to know, by the way.) It also asks for permission to the phone's accessibility settings for “active state monitoring."

Screen lock attack

In reality, the app is spring-loaded with a ransomware called “CovidLock,” which uses a technique called a “screen-lock attack” to deny the user access to the phone by forcing a change in the password used to unlock the phone.

After "CovidLock" is activated, the screen changes to a ransom note that tells the user to hand over $100 in bitcoin, within 48 hours.

If the user doesn't pay up, the note says it will scrub the phone—deleting contacts, pictures and videos. It also claims that it will expose your social media accounts to the world. And it even warns: “Your GPS is watched and your location is known, if you try anything stupid your phone will be automatically erased."

At the end of the note is a text field where the user is supposed to enter the decryption code, and a button beneath the text field that says "Decrypt." Those bastards!

Outwitting the app

So far, it doesn’t look like anyone has fallen for the scam. The bitcoin address that the app uses to receive BTC is empty as of today.

Android has provided protections against this type of attack since 2016, when it released its Nougat operating system. However, it only works if you have set a password. If you haven't set a password on your phone to unlock the screen, you're still vulnerable to the CovidLock ransomware, according to the report.

However there is light at the end of the tunnel for those who fall victim to an attack like this. The DomainTools security research team has reverse engineered the decryption keys and plans to post the key publicly.

This is not the first time that cybercriminals have taken advantage of the public’s demand for Covid-19 information in the helpful form of a global map. Last week, Decrypt reported on several coronavirus-domains that are infecting computers.

If you do want to watch the spread of the Covid-19 virus on a map, Microsoft has created a web portal for that—and you don’t have to download anything.