In these days of particular sacrifices due to the spread of the COVID-19 pandemic, cyber criminals do not seem to save anyone and on the contrary, taking advantage of the emotional involvement that many people have towards this topic, they have continued and in many cases increased their hostile activities not only against normal users but also towards the health and pharmaceutical research sector.

In the late evening of yesterday, within the COVID-19 CTI League, a group of about 400 experts gathered together to combat cyber threats related to the exploit of Covid-19 themed campaigns, a potentially malicious application emerged aimed at Italian users. A few moments later the same malicious application was also reported by Twitter users malwarehunterteam and ESET Research.

Indeed, to deal with the coronavirus emergency, several organizations and enterprises in the biotech sector have released different tools to help track and estimate the number of the COVID-19 positive people. One of these tools is SMCovid19. It’s an Android app developed by SoftMining, a company from South Italy specialized in pharmaceutical research. The app allows the user to report his symptoms and to consult useful information and statistics about the CoronaVirus spread. The app was directly downloadable as APK package from SoftMining official website. The following is an image showing it at first run:

Exploiting the importance of this app in the current emergency scenario, criminals have repackaged the software with malicious code to spying and obtain information from unaware users. Telsy TRT have pivoted into five different versions of the trojanized app that share the same code with different classes names and command-and-control servers.

Technical details

Comparing the Manifest file of the legit one, the first suspicious indicator we can see is the list of the permissions requested by the application. As visible in the following figure, in the injected version the attacker inserted many permission requests which have little to do with the app purpose, such as READ_CALL_LOG and READ_SMS.

During the manipulation, some vendor-related permissions are also removed (i.e. “OPPO_COMPONENT_SAFE”), as illustrated in the yellow rows of the image above.

From the manifest comparison, it’s possible to extract also some components that are included only in the modified version, such as a receiver named “Bamhv” (the name changes in the other versions of the malicious app)

and a service named “Dgmhk”, belonging to the same package of the receiver.

This package seems to be the only added to the package list of the legit app, as shown in the following figure:

Inspecting the added code to understand the functionalities embedded by cyber criminals, we can observe that the receiver, when triggered, is used only to start the service which in turn invokes the main contained in the class Xpkde. This class seems to be the core of the malicious package.

Indeed, it statically declares a huge array which is subsequently used by the various methods. Taking a look to the bytes inserted into this array, it is possible to extract the address of the command and control, in this case tcp://95.239.79.156:24079”.

The code uses a TCP socket to interact with its server. As visible in the following snippet, the malware supports also HTTP/HTTPS connection, indicating the code does not change depending on protocol used by the server. After retrieved the server response and created the DataInputStream object, the method a() is invoked, passing the object as parameter.

Viewing the following code snippet, it is easy to understand the purpose of this last method. Starting from the object received, it is able to load and run a new class from a file “.class” or a “.dex” one.

In all versions under analysis, the package don’t seem to have other classes or functionalities. So, any other capability is added at runtime depending on what the attackers want his creation do.

Indicators of Compromise

SHA256: 47007ce18133cdbc80e07bdf9c8de9f61e17c74102409224d88b2fdb832aab85

SHA256: 7b8794ce2ff64a669d84f6157109b92f5ad17ac47dd330132a8e5de54d5d1afc

SHA256: 8da5aacc3ad93c1fc461acc3fc4d22f02596bdb7e3e6fbff8a6b8a447e3b6620

SHA256: 17861cdaf1b3e5cd1888fc9d9db08173ece88dce225f174eb19d700f31693ec0

SHA256: e64c549f5a7023579d9a1a936aac7a11c794a99be27ac8d87f0629610572beaf

IP: 87.19.73.8

IP: 95.239.79.156