March 18, 2020

Commercial Surveillanceware Operators Exploit COVID-19

A criminal conducts surveillance

As COVID-19 spreads and individuals seek accurate information about the virus and its impacts, governments and businesses are extensively using email, text messages, and other digital tools to communicate with citizens and customers alike. Unfortunately, cybercriminals and scammers have taken advantage of the increase in communication around this topic, as well as individuals’ desires to stay up to date, find health tips, or track the spread of the disease.

Lookout researchers who were investigating potentially malicious mobile applications pertaining to this topic discovered an Android application that appears to be the most recent piece of tooling in a larger mobile surveillance campaign operating out of Libya and targeting Libyan individuals.

Icons of newly discovered trojanized applications taking advantage of the current COVID-19 crisis, which are part of a larger Android surveillance campaign.

The application is titled “corona live 1.1.” Upon first launch, the app informs the user it does not require special access privileges, but subsequently proceeds to request access to photos, media, files, device location, as well as permission to take pictures and record video.

In reality, the corona live 1.1 app is a SpyMax sample, a trojanized version of the legitimate “corona live” application (SHA1: 134b53eb8b772f752ae4019b5f9b660c780e7773), which provides an interface to the data found on the Johns Hopkins coronavirus tracker including infection rates and number of deaths over time and per country.

Screenshot of the application when opened, and after a user allows the requested permissions to use the application.


SpyMax is a commercial surveillanceware family that appears to have been developed by the same creators as SpyNote, another low-cost commercial Android surveillanceware. SpyMax has all the capabilities of a standard spying tool, and forums referencing the malware praise its “simple graphical interface” and ease of use.

Screenshot of a SpyMax admin console, which allows the user to manage a device’s calls, contacts, location, microphone, and more.


SpyMax allows the actor to access a variety of sensitive data on the phone, and provides a shell terminal and the ability to remotely activate the microphone and cameras.


SpyNote Permissions

While this “corona live 1.1” application itself appears to be waiting for more functionality, it stores command and control (C2) information in resources/values/strings as is common in SpyMax and SpyNote samples, where it contains the hard-coded address of the attacker’s server.

Pivoting off of the domain of the C2 server enabled Lookout researchers to find 30 unique APKs that share infrastructure in what appears to be a larger surveillance campaign that has been ongoing since at least April, 2019. The applications used by this actor are functional and belong to a variety of commercial surveillanceware families that the Lookout research team has been tracking for years, including SpyMax, SpyNote, SonicSpy, SandroRat, and Mobihok.

The titles of these apps that share the malicious infrastructure are fairly generic. The two newest are COVID-19-related, with another sample called “Crona.” What piqued the researcher’s interest were three applications titled “Libya Mobile Lookup.” These trojanized apps belong to the SpyNote family and are the earliest samples ingested that communicate with the C2 infrastructure. This indicates they were likely the first apps rolled out in this surveillance campaign, and offer insight into who the targeted demographic might be.

Application icons from this surveillance campaign pretending to be applications related to Coronavirus, as well as media players, IP information, and interestingly, the Libya Mobile Lookup application, a service that lets a user search for the customer name of a Libyan mobile number.

The C2 domain is hosted through the dynamic DNS provider No-IP and previously resolved to a number of different IP addresses in the same range of addresses. The address space appears to be operated by Libyan Telecom and Technology, a consumer internet service provider, and the naming of the reverse DNS records associated with the IP addresses indicates that they are likely part of a pool used for DSL connections.

The person or group running the campaign is likely in Libya and using their own infrastructure to run the C2, or is leveraging infrastructure they have compromised there. As the applications are also specifically aimed at Libyan users, this appears to be a regionally targeted surveillance effort.

While Lookout researchers have not seen anything at the moment to indicate this is a state-sponsored campaign, the use of these commercial surveillanceware families has been observed in the past as part of the tooling used by nation states in the Middle East. While nation states can and do develop their own custom tooling, they have also been known to use out-of-the-box open-source and commercial tools, as well as sometimes use commercial or open source malware as a starting point to develop their own malware.

What is interesting to note is the malware used in this campaign can be easily purchased and customized. Lookout researchers have found several connections between these families in this campaign, as well as believe it is reasonable to assume the creator of MobiHok is familiar with and has used or developed SpyNote in the past. In terms of ease of acquisition, SpyNote and Mobihok have fairly cheap licensing costs, and even offer support for users to set up their applications. With sites that offer an easy checkout process and customer support, these commercial surveillanceware vendors make it possible for anyone to acquire, customize and manage their own spy tools.


SpyNote features and purchasing price from the official website.

MobiHok pricing and capabilities from its website, where it contains the same functionalities as SpyNote and SpyMax, and can be found for as little as $75 for a single license.

This surveillance campaign highlights how in times of crisis, our innate need to seek out information can be used against us for malicious ends. Furthermore, the commercialization of “off-the-shelf” spyware kits makes it fairly easy for these malicious actors to spin up these bespoke campaigns almost as quickly as a crisis like COVID-19 takes hold. These applications were never available in the Google Play store. It is important to avoid downloading apps from third-party app stores and clicking suspicious links for “informative” sites or apps spread via SMS.

IOCs

Android Applications

Title Package Name SHA1
corona live 1.1 package.name.suffix 31c1ae3e642515ca64656620f075e3ffd3258e9f
Android sIwI Tester GOOD.BYE.GOOGLE d738fd0844dcfa47ebdf53d835ab130f2132a6c2
Android sIwI Tester GOOD.BYE.GOOGLE 56d2b0000d46841b90c55e0ee752aa26ba387482
AppName yps.eton.application 075c474ce424a91a58344e0500620a311af86169
null yps.eton.application a84626484f812c1baf4520d19be6dc78718b9cf1
null yps.eton.application e95324efa53e1e7e59415057ba5e1e8a99bdb39f
null yps.eton.application 9ee8ae9abdd6a79c34daf89f7e270fe9801303b2
null yps.eton.application 87ed3d453b34d6f56de23724a95d90ea8adf1f8a
null yps.eton.application 223ba2801e0c189efe28d8f8bca2d61cc63b6dd1
null yps.eton.application 62bc142f572173e207433af38b649e8d8fd09bb6
null yps.eton.application 6e55265cbfbf14c24a5cf4d8f6c3630f4d6c3b3a
null yps.eton.application c91f19bbbcfbb71bb81a19082512b557140ecd39
media player cmf0.c3b5bm90zq.patch ca04b5d781ab64ae8c8eb2837fe4ee6b31ee9c4d
media player cmf0.c3b5bm90zq.patch 5eaf1d655098c80324c1eeb27a2f375e8e9591d4
media player cmf0.c3b5bm90zq.patch 15811e230a79b02422bb6b6a6eb9b86e72189749
ipinfo cmf0.c3b5bm90zq.patch 22e56846a1a581a3ad645acd10cdf61670907e48
media player cmf0.c3b5bm90zq.patch 00f87fffcbd2bbe09f939eb878d96c8db4751f3f
media player cmf0.c3b5bm90zq.patch d87b7c742a638a19fa79ebbb48cc290b0f585d0d
AppName com.mobihk.v bc466506e3f184c45054c93445275d9b8ef044f8
spymax n.a.stub.suffix 54afa3a4e2ca8ac91c4f54641e267c78d58948b9
spymax n.a.stub.suffix afabf51065d63ea7edc95af3c8548ad774321202
spymax n.a.stub.suffix f224fc2f1a2ce1e3e1d1ff9d194405e99157725e
spymax n.a.stub.suffix 951b11da54a9c8b62c919fec485952c3663f7273
Crona GOOD.BYE.GOOGLE 29eefeff0f7fcb3cfeb71aa3e5d9d8b33e549f2d
Android sIwI Tester GOOD.BYE.GOOGLE 3a883f300b136c7fac4ec52935851d73ce3d80fd
null yps.eton.application 61420ff79b75059aae40b2a6446c83ff0f9c912d
media player cmf0.c3b5bm90zq.patch 6264a91a9be1aa293b545a1a08d9254a6662fb8f
Libya Mobile Lookup yps.eton.application a05588ee2d46cd78707cd4ac8958f47e096de3e8
Libya Mobile Lookup yps.eton.application 017acf67d4c7fa60d00e325170c26d75674c8fdd
Libya Mobile Lookup yps.eton.application d4fae149443cb202cdb9a01f184e1c642ded0958



Desktop Components

Title SHA1
N-W0rm.exe beb984a0da22ca726db50bf4ec59661d28ba595d
N-W0rm.exe 181b9b9360c86a99bbabcb839c0ec4171d709338
Server.exe ba834743d5e463eb152de7795ede4f84c20c44aa
Server.exe 5bdb986583ec1d08867d73508ea450067c201c78
N-W0rm2.exe 088057ad0e1b1e660c4827501f0f1ac1142a91d9
spymax 2.1.exe 083365910b18cf089cf15b34d3fa73e523b2d49b
Stub.exe 85de9011905279dab4c7ebbbade863708bbf1fc1


Domains and IPs

  • abdojmal2.ddns[.]net
  • assdsiwi.ddns[.]net
  • assdsiwi.duckdns[.]org
  • mobihok[.]net
  • 102.69.43[.]243
  • 102.69.43[.]25
  • 102.69.43[.]93
  • 165.16.67[.]84
  • 165.16.76[.]7
  • 198.54.116[.]33
  • 216.38.7[.]245
  • 41.252.129[.]25
  • 41.252.165[.]11
  • 41.252.173[.]41
  • 41.253.17[.]163
  • 41.253.23[.]12
  • 41.253.48[.]235
  • 41.253.52[.]89
  • 41.253.61[.]60
  • 62.240.51[.]221
  • 82.205.176[.]250

Authors

Kristin Del Rosso

Security Research Engineer

Kristin Del Rosso is a security researcher with a primary focus on reverse engineering Android applications. She works with her team to uncover new mobile threats, track actors and targets, and provide accurate research and reporting on these issues. She has spoken at BlackHat EU and NSEC on state-sponsored malware campaigns, and volunteers with Day of Shecurity, an organization aimed at tackling the gender diversity issue in cybersecurity.

Entry Type
Threat Summary
Platform(s) Affected
Android
Threat Type
Spyware
Platform(s) Affected
Threat Summary
Android
Spyware

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell