Commercial Surveillanceware Operators Exploit COVID-19

As COVID-19 spreads and individuals seek accurate information about the virus and its impacts, governments and businesses are extensively using email, text messages, and other digital tools to communicate with citizens and customers alike. Unfortunately, cybercriminals and scammers have taken advantage of the increase in communication around this topic, as well as individuals’ desires to stay up to date, find health tips, or track the spread of the disease.

Lookout researchers who were investigating potentially malicious mobile applications pertaining to this topic discovered an Android application that appears to be the most recent piece of tooling in a larger mobile surveillance campaign operating out of Libya and targeting Libyan individuals.

‍

‍

The application is titled “corona live 1.1.” Upon first launch, the app informs the user it does not require special access privileges, but subsequently proceeds to request access to photos, media, files, device location, as well as permission to take pictures and record video.

In reality, the corona live 1.1 app is a SpyMax sample, a trojanized version of the legitimate “corona live” application (SHA1: 134b53eb8b772f752ae4019b5f9b660c780e7773), which provides an interface to the data found on the Johns Hopkins coronavirus tracker including infection rates and number of deaths over time and per country.

‍

‍

SpyMax is a commercial surveillanceware family that appears to have been developed by the same creators as SpyNote, another low-cost commercial Android surveillanceware. SpyMax has all the capabilities of a standard spying tool, and forums referencing the malware praise its “simple graphical interface” and ease of use.

‍

‍

SpyMax allows the actor to access a variety of sensitive data on the phone, and provides a shell terminal and the ability to remotely activate the microphone and cameras.

SpyNote Permissions

While this “corona live 1.1” application itself appears to be waiting for more functionality, it stores command and control (C2) information in resources/values/strings as is common in SpyMax and SpyNote samples, where it contains the hard-coded address of the attacker’s server.

Pivoting off of the domain of the C2 server enabled Lookout researchers to find 30 unique APKs that share infrastructure in what appears to be a larger surveillance campaign that has been ongoing since at least April, 2019. The applications used by this actor are functional and belong to a variety of commercial surveillanceware families that the Lookout research team has been tracking for years, including SpyMax, SpyNote, SonicSpy, SandroRat, and Mobihok.

The titles of these apps that share the malicious infrastructure are fairly generic. The two newest are COVID-19-related, with another sample called “Crona.” What piqued the researcher’s interest were three applications titled “Libya Mobile Lookup.” These trojanized apps belong to the SpyNote family and are the earliest samples ingested that communicate with the C2 infrastructure. This indicates they were likely the first apps rolled out in this surveillance campaign, and offer insight into who the targeted demographic might be.

‍

‍

The C2 domain is hosted through the dynamic DNS provider No-IP and previously resolved to a number of different IP addresses in the same range of addresses. The address space appears to be operated by Libyan Telecom and Technology, a consumer internet service provider, and the naming of the reverse DNS records associated with the IP addresses indicates that they are likely part of a pool used for DSL connections.

The person or group running the campaign is likely in Libya and using their own infrastructure to run the C2, or is leveraging infrastructure they have compromised there. As the applications are also specifically aimed at Libyan users, this appears to be a regionally targeted surveillance effort.

While Lookout researchers have not seen anything at the moment to indicate this is a state-sponsored campaign, the use of these commercial surveillanceware families has been observed in the past as part of the tooling used by nation states in the Middle East. While nation states can and do develop their own custom tooling, they have also been known to use out-of-the-box open-source and commercial tools, as well as sometimes use commercial or open source malware as a starting point to develop their own malware.

What is interesting to note is the malware used in this campaign can be easily purchased and customized. Lookout researchers have found several connections between these families in this campaign, as well as believe it is reasonable to assume the creator of MobiHok is familiar with and has used or developed SpyNote in the past. In terms of ease of acquisition, SpyNote and Mobihok have fairly cheap licensing costs, and even offer support for users to set up their applications. With sites that offer an easy checkout process and customer support, these commercial surveillanceware vendors make it possible for anyone to acquire, customize and manage their own spy tools.

‍

‍

‍

This surveillance campaign highlights how in times of crisis, our innate need to seek out information can be used against us for malicious ends. Furthermore, the commercialization of “off-the-shelf” spyware kits makes it fairly easy for these malicious actors to spin up these bespoke campaigns almost as quickly as a crisis like COVID-19 takes hold. These applications were never available in the Google Play store. It is important to avoid downloading apps from third-party app stores and clicking suspicious links for “informative” sites or apps spread via SMS.

IOCs

Android Applications

‍

Desktop Components

Domains and IPs

• abdojmal2.ddns[.]net
• assdsiwi.ddns[.]net
• assdsiwi.duckdns[.]org
• mobihok[.]net
• 102.69.43[.]243
• 102.69.43[.]25
• 102.69.43[.]93
• 165.16.67[.]84
• 165.16.76[.]7
• 198.54.116[.]33
• 216.38.7[.]245
• 41.252.129[.]25
• 41.252.165[.]11
• 41.252.173[.]41
• 41.253.17[.]163
• 41.253.23[.]12
• 41.253.48[.]235
• 41.253.52[.]89
• 41.253.61[.]60
• 62.240.51[.]221
• 82.205.176[.]250

‍