Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Security, Privacy Issues Found in Government COVID-19 Mobile Apps

Researchers at cybersecurity company ZeroFOX discovered that government-sanctioned COVID-19 mobile applications are affected by vulnerabilities and privacy issues that put citizens at risk.

Researchers at cybersecurity company ZeroFOX discovered that government-sanctioned COVID-19 mobile applications are affected by vulnerabilities and privacy issues that put citizens at risk.

Governments worldwide have released COVID-19 mobile apps to provide citizens with useful information and, in some cases, to track individuals in an effort to contain the coronavirus outbreak.

An analysis of dozens of nation and government-sponsored mobile applications for Android released to help with the current COVID-19 pandemic has revealed the existence of privacy risks, vulnerabilities and backdoors, ZeroFOX says in a post highlighting three of the analyzed apps.

The first of these apps is the official COVID-19 application that the Iranian government released. Available since early March, it was designed to track citizens and harvest personal information — two features that raise privacy concerns — all without providing information on the pandemic.

An imposter app that copies the government-sanctioned app was also identified. Dubbed CoronaApp, it is available for download at ‘coronaapp[.]ir’, a website that multiple news sites, Telegram groups, and social network posts link to.

The unofficial application requests access to the user’s location, camera, Internet data, system information, and the ability to write to external storage. Despite asking for these permissions, the application does not appear to engage in malicious behavior.

According to the ZeroFOX security researchers, the risk posed by this application is high, especially since Iran is a country under sanction and Google Play is not accessible to most Iranians, which means that the official protection mechanisms included in the app store are not available for them.

CoronaApp’s developers claim that the app was built with support from the Iranian government, although there is no reputable evidence to confirm that. The legitimacy of the claims in the news articles linking to the app’s download website could not be verified either, and the security researchers are confident that the app could be abused in the future.

Advertisement. Scroll to continue reading.

Another app that puts user privacy at risk is the official CoronApp-Colombia application, meant to help individuals in Colombia track symptoms related to COVID-19. Available through Google Play, the app requests permissions to access location, read phone states, and read contacts, but is not malicious.

However, vulnerabilities in the app were found to impact more than 100,000 users, ZeroFOX reveals. Specifically, the app would only use HTTP for communication, although both personal health information (PHI) and personally identifiable information (PII) are being transmitted, exposing the data to man-in-the-middle attacks.

Data transmitted in clear text included names, document_type (which can include passports and other registration numbers), emails, passwords, gender, and race. However, the issue was addressed in late March, after Colombia CERT was alerted on the matter.

The security researchers also identified 12 APKs related to a campaign which involved a repackaged, backdoored application targeting Italian citizens. All of these APKs had the same signing certificate and issuer details.

Italy is using regional COVID-19 apps instead of a single national application. One of these regional apps, for which its developers released a beta version, has been recompiled with a backdoor.

“The backdoor is present when the Android app receives a BOOT_COMPLETED intent, which is sent to any COVID-19 mobile apps that have this permission enabled when the phone boots, or when the app is opened,” ZeroFOX says.

Related: Android Surveillance Campaign Leverages COVID-19 Crisis

Related: Corporate Workers Warned of ‘COVID-19 Payment’ Emails Delivering Banking Trojan

Related: FBI Expects Increase in COVID-19-Themed BEC Scams

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.