Threat actors are exploiting fear and uncertainty to spread Covid-19 themed malicious Android package kits (APKs) onto users’ mobile devices. APKs pose a significant risk to end users because of the sensitive personal information and credentials stored on mobile devices.
We analyzed a popular APK to see if it shares binary code with other Android malware. This particular sample copies significant portions of code from previous Cerberus, Anubis and Ginp variants. Code reuse appears to be an ongoing trend among malicious Android applications.
Update as of April 20
We have been monitoring a high number of malicious APK samples reported on Twitter. For instance, this tweet from MalwareHunterTeam indicating a fake APK alleging to be sponsored by the Turkish Ministry of Health:
Turkish Coronavirus related campaign, site says "sponsored by the Ministry of Health"…
cc @LukasStefanko @virqdroid pic.twitter.com/P0qnrKsv5l
— MalwareHunterTeam (@malwrhunterteam) April 21, 2020
Or this example of “Covid.apk” –
Here is another example –
— MalwareHunterTeam (@malwrhunterteam) April 18, 2020
Many of these samples had low detections upon initial upload to VirusTotal, including this fake media player application which had only four detections –
We analyzed the APK using Intezer Analyze which classified the threat to Cerberus:
The main connection here is to Cerberus, a banking trojan that attempts to steal the victim’s banking credentials. Cerberus recently underwent an upgrade and is now being shipped with full RAT functionality. The malware can provide its operator with full access to the storage of the infected device. Because this particular application shares 124 genes (or 31.23%) of its code with Cerberus, we can understand that it is a new variant.
MediaPlayer.apk has a strong genetic connection to Anubis, an Android malware which source code leaked in 2019, and is being used by adversaries to develop future Android threats.
We also see shared code with Ginp, which is another APK malware and which shares code with Anubis, as seen from the analysis report. The connection between Ginp and Anubis has been documented in the past and is easy to spot in Intezer Analyze.
Intezer Analyze supports genetic analysis for Android applications
As threat actors continue to exploit fear and uncertainty to spread malware via Covid-19 themed apps, try uploading them to the free community edition to detect malicious APKs and better understand the origins of these threats.
This is a beta feature so please help us improve by sharing your feedback. If you receive an analysis that you think can be improved, let us know by clicking on the report analysis button in the upper right corner of Intezer Analyze.