Amid numerous malicious attacks leveraging the current COVID-19 coronavirus crisis, security researchers have discovered an Android surveillance campaign targeting users in Libya.
Ranging from phishing attacks that deliver remote access Trojans or other types of malware to state-sponsored assaults, attacks featuring themes related to the COVID-19 pandemic are a common occurrence and target both desktop and mobile users.
People around the world are seeking accurate information about the virus and its impact, and cyber-criminals are taking advantage of the increase in communication around the topic to spread their malicious programs.
One of the COVID-19-themed attacks appears to be part of a larger mobile surveillance campaign operating out of Libya and targeting Libyan individuals, Lookout reveals.
As part of the attack, the adversary uses an Android application named “corona live 1.1,” which is a trojanized version of the “corona live” app that serves information from the Johns Hopkins coronavirus tracker, such as infection rates and number of deaths over time and per country.
Once launched, the app requests access to photos, media, files, device location, and also asks for permissions to take pictures and record videos. The app, Lookout has discovered, is a variant of the SpyMax commercial surveillanceware family, supposedly developed by SpyNote creators.
SpyMax includes all of the capabilities a standard spying tool has, and cyber-criminals praise it on underground forums for its graphical interface and ease of use.
Through this piece of surveillanceware, attackers can access a broad range of sensitive data on the victims’ devices, they can remotely activate the microphone and cameras, and have a shell terminal at their disposal.
The “corona live 1.1” application stores command and control (C&C) data in resources/values/strings, a feature common to SpyMax and SpyNote.
Pivoting off the C&C domain, Lookout’s researchers identified 30 unique APKs sharing infrastructure apparently used in a surveillance campaign ongoing since at least April 2019. The threat actor has been using surveillanceware families such as SpyMax, SpyNote, SonicSpy, SandroRat, and Mobihok.
The two newest applications used in these attacks are COVID-19-related (another sample is called “Crona”), while three other programs were titled “Libya Mobile Lookup” and belonged to the SpyNote family. These were likely the first apps rolled out in the campaign.
The researchers managed to link the campaign to Libya through the malicious applications and the C&C infrastructure, and they note that “this appears to be a regionally targeted surveillance effort.” However, there is no evidence to suggest that this is a state-sponsored campaign, although the surveillanceware employed has been used by nation states in the Middle East in the past.
Lookout also points out that the malware used in this campaign can be easily purchased and customized and says that the creator of MobiHok “is familiar with and has used or developed SpyNote in the past.” Both have fairly cheap licensing costs and offer support for users to set up their applications, making it easy for anyone to acquire, customize and manage their own spy tools.
“This surveillance campaign highlights how in times of crisis, our innate need to seek out information can be used against us for malicious ends. Furthermore, the commercialization of “off-the-shelf” spyware kits makes it fairly easy for these malicious actors to spin up these bespoke campaigns almost as quickly as a crisis like COVID-19 takes hold,” Lookout concludes.
