Connect with us

Hi, what are you looking for?



Android Surveillance Campaign Leverages COVID-19 Crisis

Amid numerous malicious attacks leveraging the current COVID-19 coronavirus crisis, security researchers have discovered an Android surveillance campaign targeting users in Libya.

Amid numerous malicious attacks leveraging the current COVID-19 coronavirus crisis, security researchers have discovered an Android surveillance campaign targeting users in Libya.

Ranging from phishing attacks that deliver remote access Trojans or other types of malware to state-sponsored assaults, attacks featuring themes related to the COVID-19 pandemic are a common occurrence and target both desktop and mobile users.

People around the world are seeking accurate information about the virus and its impact, and cyber-criminals are taking advantage of the increase in communication around the topic to spread their malicious programs.

One of the COVID-19-themed attacks appears to be part of a larger mobile surveillance campaign operating out of Libya and targeting Libyan individuals, Lookout reveals.

As part of the attack, the adversary uses an Android application named “corona live 1.1,” which is a trojanized version of the “corona live” app that serves information from the Johns Hopkins coronavirus tracker, such as infection rates and number of deaths over time and per country.

Once launched, the app requests access to photos, media, files, device location, and also asks for permissions to take pictures and record videos. The app, Lookout has discovered, is a variant of the SpyMax commercial surveillanceware family, supposedly developed by SpyNote creators.

SpyMax includes all of the capabilities a standard spying tool has, and cyber-criminals praise it on underground forums for its graphical interface and ease of use.

Through this piece of surveillanceware, attackers can access a broad range of sensitive data on the victims’ devices, they can remotely activate the microphone and cameras, and have a shell terminal at their disposal.

Advertisement. Scroll to continue reading.

The “corona live 1.1” application stores command and control (C&C) data in resources/values/strings, a feature common to SpyMax and SpyNote.

Pivoting off the C&C domain, Lookout’s researchers identified 30 unique APKs sharing infrastructure apparently used in a surveillance campaign ongoing since at least April 2019. The threat actor has been using surveillanceware families such as SpyMax, SpyNote, SonicSpy, SandroRat, and Mobihok.

The two newest applications used in these attacks are COVID-19-related (another sample is called “Crona”), while three other programs were titled “Libya Mobile Lookup” and belonged to the SpyNote family. These were likely the first apps rolled out in the campaign.

The researchers managed to link the campaign to Libya through the malicious applications and the C&C infrastructure, and they note that “this appears to be a regionally targeted surveillance effort.” However, there is no evidence to suggest that this is a state-sponsored campaign, although the surveillanceware employed has been used by nation states in the Middle East in the past.

Lookout also points out that the malware used in this campaign can be easily purchased and customized and says that the creator of MobiHok “is familiar with and has used or developed SpyNote in the past.” Both have fairly cheap licensing costs and offer support for users to set up their applications, making it easy for anyone to acquire, customize and manage their own spy tools.

“This surveillance campaign highlights how in times of crisis, our innate need to seek out information can be used against us for malicious ends. Furthermore, the commercialization of “off-the-shelf” spyware kits makes it fairly easy for these malicious actors to spin up these bespoke campaigns almost as quickly as a crisis like COVID-19 takes hold,” Lookout concludes.

Related: Researchers Track Coronavirus-Themed Cyberattacks

Related: COVID-19 Themed Phishing Campaigns Continue

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.