Several official COVID-19 apps have been developed by the government that were aimed at helping citizens in Iran, Italy and Columbia to track symptoms of the Coronavirus.
Researchers have found that they are putting the privacy of the users and data at risk. ZeroFOX Alpha Team researchers have found some risk and security vulnerabilities, including backdoor in various apps.
Researchers have analysed several national and state government-sponsored apps related to COVID-19 and are highlighting analysis of three applications.
Copycat CoronaApp
When Coronavirus started spreading outside China, Iran became a hotspot for the COVID-19 the Iranian government has launched the official coronavirus app. Since it was intended to track the citizens the app contains several privacy issues rather than providing vital health information that was available on the Iranian app store called CafeBazaar.
After this threat actors have created a copycat of the app named ‘CoronaApp’ that can be downloaded from ‘coronaappir’ and the fake link was distributed on various telegram groups and social networking sites.
However, Alpha Team has analysed the fake and found that the app was not developed with a malicious intent since it has not asked request permissions to access a user’s location, camera, internet data, system information, and write to external storage which describes the app is not for malicious intent.
Also, the creators of the apps claim that the app was developed under the support of the Iranian government.
Colombia Corona App Exposes 100,000 users Personal Info
Another app that was announced by the Colombian President to help Colombian citizens to track symptoms of Coronavirus. After analysing the app the researchers haven’t found anything malicious but after analysing it in depth researchers found that the app communicates over insecure HTTP connection with the API server.
Rather than using the more secure HTTPs connection, the app was using insecure HTTP connection over API. ZeroFOX Alpha Team has installed the app on an android emulator and through Wireshark, they were successfully able to intercept the traffic that shows how an attacker can easily launch and man-in-the-middle attack.
This API_URL is used multiple times throughout the app and makes HTTP requests to the 52.87.234.39 server, located in the U.S., to relay personal health information (PHI) and personally identifiable information (PII),” they noted. “The same URL is also hardcoded into additional API calls, without using the API_URL.
researchers said.
Backdoored COVID-19 App Targets Italian Users
Italy was majorly stuck with the pandemic and the government has created the region-specific app for tracking the symptoms of COVID-19. Since there were several government-sanctioned legitimate applications the threat actors taken advantage of the confusion and released malicious applications some backdoored to steal pieces of information.
The researchers said that they had found 12 application-related about the campaign.
The backdoor is activated when the Android app receives a BOOT_COMPLETED intent when the phone boots, or when the app is opened,
researchers said
Threat actors were using a reverse TCP connection with Metasploit generated by msfvenom.
