Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Security, Privacy Issues Found in Government COVID-19 Mobile Apps

Researchers at cybersecurity company ZeroFOX discovered that government-sanctioned COVID-19 mobile applications are affected by vulnerabilities and privacy issues that put citizens at risk.

Researchers at cybersecurity company ZeroFOX discovered that government-sanctioned COVID-19 mobile applications are affected by vulnerabilities and privacy issues that put citizens at risk.

Governments worldwide have released COVID-19 mobile apps to provide citizens with useful information and, in some cases, to track individuals in an effort to contain the coronavirus outbreak.

An analysis of dozens of nation and government-sponsored mobile applications for Android released to help with the current COVID-19 pandemic has revealed the existence of privacy risks, vulnerabilities and backdoors, ZeroFOX says in a post highlighting three of the analyzed apps.

The first of these apps is the official COVID-19 application that the Iranian government released. Available since early March, it was designed to track citizens and harvest personal information — two features that raise privacy concerns — all without providing information on the pandemic.

An imposter app that copies the government-sanctioned app was also identified. Dubbed CoronaApp, it is available for download at ‘coronaapp[.]ir’, a website that multiple news sites, Telegram groups, and social network posts link to.

The unofficial application requests access to the user’s location, camera, Internet data, system information, and the ability to write to external storage. Despite asking for these permissions, the application does not appear to engage in malicious behavior.

According to the ZeroFOX security researchers, the risk posed by this application is high, especially since Iran is a country under sanction and Google Play is not accessible to most Iranians, which means that the official protection mechanisms included in the app store are not available for them.

CoronaApp’s developers claim that the app was built with support from the Iranian government, although there is no reputable evidence to confirm that. The legitimacy of the claims in the news articles linking to the app’s download website could not be verified either, and the security researchers are confident that the app could be abused in the future.

Another app that puts user privacy at risk is the official CoronApp-Colombia application, meant to help individuals in Colombia track symptoms related to COVID-19. Available through Google Play, the app requests permissions to access location, read phone states, and read contacts, but is not malicious.

However, vulnerabilities in the app were found to impact more than 100,000 users, ZeroFOX reveals. Specifically, the app would only use HTTP for communication, although both personal health information (PHI) and personally identifiable information (PII) are being transmitted, exposing the data to man-in-the-middle attacks.

Data transmitted in clear text included names, document_type (which can include passports and other registration numbers), emails, passwords, gender, and race. However, the issue was addressed in late March, after Colombia CERT was alerted on the matter.

The security researchers also identified 12 APKs related to a campaign which involved a repackaged, backdoored application targeting Italian citizens. All of these APKs had the same signing certificate and issuer details.

Italy is using regional COVID-19 apps instead of a single national application. One of these regional apps, for which its developers released a beta version, has been recompiled with a backdoor.

“The backdoor is present when the Android app receives a BOOT_COMPLETED intent, which is sent to any COVID-19 mobile apps that have this permission enabled when the phone boots, or when the app is opened,” ZeroFOX says.

Related: Android Surveillance Campaign Leverages COVID-19 Crisis

Related: Corporate Workers Warned of ‘COVID-19 Payment’ Emails Delivering Banking Trojan

Related: FBI Expects Increase in COVID-19-Themed BEC Scams

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet