It’s been more than one year since people around the world were forced into technology, whether they liked it or not. Governments, healthcare providers, restaurants and the rest have flooded users with applications to help them safely get in touch with the outside world.

In this context, cybercriminals have rapidly adapted their strategy to capitalize on this newly opened market and trick victims into installing malicious apps on their Android phones. Bitdefender researchers have found multiple apps taking advantage of mobile users looking for information about the vaccines or seeking an appointment to get the jab. We expected this phenomenon after spotting a campaign a year ago when COVID-19 had just struck and users were restlessly looking for information.

Campaigns using COVID-19 vaccines as a pretext to deploy malware are a global problem, and they range from annoying but seemingly innocuous apps packed with adware to fully fledged Banker Trojans ready to take over the device after just a few taps.

One of Android’s main strengths, and weaknesses at the same time, is the user’s ability to sideload apps. This feature lets people load apps that are not available in the official store. Unfortunately, it also means many users unintentionally load malware from third party-stores or locations.

While this is a serious problem, the malware-ridden apps we’ve found are not limited to third-party locations. Some are still available through Google Play, despite Google’s efforts to weed out malicious apps during the developers’ uploading process.

Hydra Bankers

Two of the samples we’ve identified are part of the infamous Hydra trojan family. Historically, Hydra targeted Turkish users , but lately it has been extending its reach. This time its chosen victims are from Chile and other Spanish-speaking countries.

Both applications try to pass themselves off as a Coronavirus vaccine app for users based in Chile, and their behavior is very similar. One of the versions has been mentioned before on Twitter.

Users were able to download the apps from the following domains. Both domains resolved IP belongs to a web hosting provider from Malaysia. . As of the moment of writing, the domains have stopped serving the malware.

Distribution Point	IP	Registration Date	Expiration Date
Miinsaludgovcovacunacovid[.]com	111.90.145.231	12.02.2021	12.02.2022
miinsalud-gov-cl-vacuna-cvid19[.]com	111.90.145.231	15.02.2021	15.02.2022

Once the victims open the app, they try to lure them into activating the Accessibility permission for the app. If the user accepts, the application moves on to giving itself all the permission it requires, hides its launcher, and sends a premium SMS message. The premium SMS role is likely simple — to verify whether the malicious apps have acquired the necessary permissions.

The Accessibility permissions let the apps inspect the window’s content and collect data such as credit card numbers, passwords and more. From there, it’s only a matter of time before the user’s banking data is leaked.

The user can’t disable the Accessibility permissions or uninstall the app, since the app automatically redirects them to the home screen.

The samples we collected show zip file dates of 2021.02.12 and 2021.02.15, respectively. It seems their corresponding distribution points were registered the day they were built. Although these timestamps are no guarantee of an exact build time, they hint at the beginning of the attack.

The way criminals distribute this malware shows that they target Spanish speakers. Also, malicious Banker Trojans usually come with a list of banking applications they are targeting. All targets of the 30 different apps are financial applications with mainly Spanish speaking users (readers can see the complete list of applications in the Indicators of Compromise section).

Our telemetry readings show that the threat is currently active, predominantly in Spain. We detect this threat as Android.Trojan.Banker.RY.

Cerberus Bankers

The other banker family we have found taking advantage of the coronavirus vaccine is the well-known Cerberus malware-as-a-service. One of the apps shows a zip file date of 26.01.2021. It didn’t take these malware actors too long to jump on the Coronavirus vaccine bandwagon.

The malware attempts to spoof known legitimate Turkish healthcare apps that can be currently found on Google Play. For example, the *ATS AşıUygulama* (icon to the right).

The Cerberus family has been largely documented and, behavior-wise, these applications stick to the pattern.

After the user’s first tap to open the app, the apps will request the Accessibility permissions until the user grants them. The apps will keep popping up and display ‘toast messages’ until the user caves in and accepts the request. Toast messages are small snippets of text displayed on the screen. Once the victims grant the malware the requested Accessibility permissions, the apps hide their launcher and proceed to take over the device.

Both samples found target Turkey, as inferred from the application name:

We detect this threat as Android.Trojan.Banker.UI.

Repackaged adware

Many legitimate informational apps regarding the coronavirus vaccine have appeared in the last couple of months. Vaccinum is one of them. It was initially an application meant to provide users with advanced statistics on the vaccination status on a national and global level. However, its initial purpose made it a perfect target for malware creators.

The original application was available on Google Play for a while before the app store’s Covid-19 related regulations [6] required its developers to take it down. Currently, if users visit the app’s official website, they will find the following message:

While Google Play has legitimate reasons to add restrictions to Covid-19-related applications, deleting apps may lead some users to turn to other third-party Android application markets that tend to be more lenient when it comes to unwanted content.

This is where we find a new version of Vaccinum. While this version is the same as the original app functionality-wise, it comes repackaged with adware.

Every time a user opens the modified app, a pop-up appears after a couple of seconds with an advertisement and a request from a site to send notifications to the device. The ad also has a “SKIP AD” button that does nothing despite its name. It simply opens a different ad in the browser. The host site requests to send notifications, after which the website attempts to scam the user.

In this example, the website tries to persuade the victim to send a text message to a short code.

We detect this threat as Android.Adware.Agent.BMI.

Co-Win Adware

The Indian government launched a COVID-19 vaccine tracking and registration platform, Co-Win, on March 1, 2021. Reports of malware imitating Co-Win and of bad actors copying other Indian healthcare apps quickly emerged. Adware and fake applications immediately followed. The Indian government issued a warning in this regard.

Despite the official warning, we have observed more adware arriving in the official Google Play store. Google has been trying to vet all vaccination-related applications properly, but some fell through the cracks.

An application named “Guide for Co-Win India App – Made In India” (with a package name of register.guidefor.cowin20), that also takes advantage of India’s Covid vaccine registration system, Co-Win, is the perfect example of an app that shouldn’t exist in the official store.

Our systems indicate that this app has been active on Google Play since the middle of January, at least. The app attempts to provide information on how to use the Co-Win system. However, the app bombards its users with advertisements.

This application comes with a disclaimer: “This app is not official app of any government entity or government sites or government program” but that offers no relief to the reader who wishes to stay informed but instead is presented with ads.

A quick look at the app shows us the ads the users are indicating:

Google has been informed of this behavior; we advise users to avoid such applications until Google Play takes appropriate action.

We detect this threat as Android.Adware.Agent.BMF.

Conclusion

These examples are only the tip of the iceberg of vaccine-targeted apps. Malware and adware will continue to abuse people’s demand for vaccine. If there’s any lesson to be learned from this research, it’s that Android users should always be wary of apps requesting access to the Accessibility Service, as it’s the main access route for criminals into mobile devices.

We advise people to be vigilant and get any COVID-19 related information from known, proper channels and official government sources.

Indicators of Compromise

Hydra

Samples

Md5	Package name
af2e61a6778c3a3a1001f87ea9c96e80	uniform.despair.grass
56d07c9e9747c63ad8ee03a46fc5d26d	ball.ridge.fly

Hydra targeted applications

Package name	Application name
cl.android	Banco Falabella \| CMR
co.com.bbva.mb	BBVA Colombia
com.bancocajasocial.geolocation	Banco Caja Social Móvil
com.bankia.wallet	Bankia Wallet
com.bankinter.launcher	BankinterMóvil
com.bbva.bbvacontigo	BBVA Spain \| Mobile Banking
com.bbva.netcash	BBVA Net Cash \| ES & PT
com.cajaingenieros.android.bancamovil	Caja de Ingenieros Banca MÓVIL
com.citibanamex.banamexmobile	CitibanamexMóvil
com.grupoavalav1.bancamovil	AV Villas App
com.indra.itecban.triodosbank.mobile.banki*	Triodos Bank. Banca Móvil
com.kutxabank.android	Kutxabank
com.mediolanum	Banco Mediolanum España
com.rsi	ruralvía
com.rsi.Colonya	ColonyaCaixaPollença
com.targoes_prod.bad	TARGOBANK – Banca a distancia
com.todo1.davivienda.mobileapp	DaviviendaMóvil
com.todo1.mobile	Bancolombia App Personas
es.bancosantander.apps	Santander
es.caixagalicia.activamovil	ABANCA- Banca Móvil
es.caixaontinyent.caixaontinyentapp	CaixaOntinyent
es.cecabank.ealia2103appstore	UniPayUnicaja
es.cm.android	Bankia
es.lacaixa.mobile.android.newwapicon	CaixaBankNow
es.liberbank.cajasturapp	Banca Digital Liberbank
es.openbank.mobile	Openbank – bancamóvil
es.univia.unicajamovil	UnicajaMovil
eu.netinfo.colpatria.system	Scotiabank Colpatria
net.veritran.becl.prod	BancoEstado
www.ingdirect.nativeframe	ING España. Banca Móvil