Security Experts:

Beware of Sick Behavior Masquerading as Coronavirus

Cybercriminals Are Seeing the Pandemic as a Huge Business Opportunity

Food delivery services and Netflix are not the only ones profiting from the coronavirus outbreak.  It has also been a bonanza for cybercriminals, seeking to cash in on the anxiety and confusion resulting from COVID-19. Photon, the research arm of my company, has undertaken a deep dive into the shadowy, cyber world of those whose work involves abusing others online through trickery, extortion, fraud, and theft. Here is some of what we found as well as ways that you can mitigate the threat: 

Crappy apps

As early as January, phishing emails containing phony COVID-19 public health warnings were circulating in Japan. They used the coronavirus scare as its email campaign hook. Recipients were warned about the virus’ rapid spread and instructed to download an attached notice that allegedly contained preventive measures. In fact, when downloaded, it installed Emotet, a form of malware used to deploy ransomware and other types of malicious software that steal user credentials, browser history, and sensitive documents. That data can then be used to send spam to other email accounts. 

Other forms of cyberattack, including a denial of service attack against the U.S. Department of Health and Human services on March 15, and a fraudulent website distributing a new variant of ransomware named “CoronaVirus” identified a few days later, also occurred.  And misleading mobile apps began to proliferate. Altogether, we uncovered 376 Android mobile apps related to COVID-19. Many of them, it turned out, were benign. But others contained spyware to collect sensitive user data and insisted on receiving dangerous permissions.  

We discovered multiple apps that demanded access to perform account authentication, to capture and collect photos, to receive packets not directly addressed to the device, to create network sockets, remove accounts, delete passwords, request authentication tokens, and write to the phone’s embedded sim card.  Seeking the ability to access a user’s contact list is a particularly dangerous form of permission because, among other things, it enables someone who secures that information to impersonate you and anyone else on that list in malicious ways. 

We also found a number of app download links that claimed to be specific to COVID-19 but which actually served up entirely different applications, some of which were rigged with malicious files requiring an extensive number of dangerous permissions.  The files they would download included riskware, adware, potentially unwanted programs, contact collection tools, and SMS management capabilities.  One, which masqueraded as a legitimate coronavirus application associated with Johns Hopkins Medical Center, was actually a tool used to vacuum up photos, media files, device location, and the user’s camera, while installing spyware device management capabilities. 

Importantly, almost all of this malware was downloaded from sources other than the Google Play or Apple App stores – both of which rigorously vet software before allowing it on their sites.  Downloading from these trusted app stores offers significant protection against malware. 

Third-party perils

In their haste to prepare themselves for a predominantly remote workforce in response to the coronavirus, many organizations have sought the help of third-party vendors.  That’s understandable; outside vendors can help a company maintain some semblance of business continuity during challenging times. But it also brings new risk of unwelcome intrusion.  

Third parties sometimes offer a path of least resistance to determined intruders. They provide the added benefit of allowing the cybercriminal to remain undetected and even the possibility of attacking multiple target organizations at once. Last August, for example, malicious actors were able to use a third-party vendor to spread ransomware to 22 cities in Texas.  In addition, virtual workspaces require increased use of third-party online channels, expanding the potential attack surface way beyond the company’s traditional network.

That’s not just theoretical; a 2018 study by the Ponemon Institute found that nearly 60 percent of the companies surveyed had suffered a data breach at the hands of third-party vendors, while only about a third had even kept a comprehensive inventory of the third-party suppliers their company had worked with. 

Mitigating risks

There are three major categories of risk presented by third-party apps and vendors: Operational risk resulting from errors or failures in the system; Transaction risks related to problems with the service or delivery, and Compliance risks which put the organization in the crosshairs of liability for security breaches or other regulatory failings. While these risks are not unique to the use of third parties, involving them considerably amplifies the risk opportunities. 

At the same time, though, there are common sense strategies available to minimize and mitigate those risks.  

1. Create a pandemic response team capable of assessing third party risk 

2. Build a comprehensive inventory of third-party vendors

3. Analyze third party vendors for risk

4. Track security incidents that could affect your vendors

5. Include data exposure incidents in third party monitoring

6. Only download apps from trusted sites

7. Remain skeptical of apps requesting permissions

8. Confirm that the app is created by a legitimate developer

Related: COVID-19 Apps: Effective Virus Risk Management Tools or Privacy Nightmare?

RelatedApple and Google Team Up on Virus 'Contact Tracing' by Smartphone

RelatedNation-backed Hackers Tune Attacks to COVID-19 Fears: Google

RelatedAndroid Surveillance Campaign Leverages COVID-19 Crisis

RelatedSpike in Company Compromises Correlates With Lockdowns

view counter
Alastair Paterson is CEO and Co-Founder of Digital Shadows. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.