Last week we discussed how rising remote work due to COVID-19 outbreak is posing security challenges for companies.
And now we found out a new ransomware tactic where cybercriminals are leveraging to target people with a malicious Coronavirus (COVID-19) tracking mobile application.
Security researchers at Domaintools have discovered this domain (coronavirusapp[.]site) that asks users to download an Android app that claims to display real-time Coronavirus outbreak tracker in Nearby places (Street, City, and State) with heatmap visuals.
But in reality, this malicious app doesn’t display anything and gives total device control to a cybercriminal if a victim grants it any access to their phone. Once downloaded or giving it access, the app will lock down the victim’s phone by using screen lock and will display this ransom note asking for $100 ransom to regain the phone access, the note says:
YOUR PHONE IS ENCRYPTED: YOU HAVE 48 HOURS TO PAY 100$ in BITCOIN OR EVERYTHING WILL BE ERASED
“Since Android Nougat has rolled out, there is protection in place against this type of attack. However, it only works if you have set a password. If you haven’t set a password on your phone to unlock the screen, you’re still vulnerable to the CovidLock ransomware”, Says DomainTools researchers.
According to DomainTools’ update posted yesterday, they have successfully reverse-engineered CovidLock’s decryption key and released it publically for the victims of this ransomware attack: “4865083501”
They also found out the malicious website coronavirusapp[.]site belongs to a person in Morocco and displays an iframe that sources information from infection2020[.]com (a website from an independent developer for tracking US-based COVID-19 news) and a small banner above the iframe encouraging users to download this ransomware infected CovidLock mobile application.