Fake Aarogya Setu apps carrying spyware spotted

Cyber security researchers have found fake malicious versions of Aarogya Setu, the Indian government’s coronavirus contact tracing mobile application. The app gained immense popularity across the country and crossed five million downloads within the first three days from its launch, becoming a target for cybercriminals.

As the world battles against the pandemic, a huge number of coronavirus tracking apps have been developed over the last few months. SonicWall Labs Threats research team found fake Aarogya Setu apps carrying spyware, which is capable of making phone calls, recording audio, send SMS, take pictures and record videos from the camera.

If the user deletes Aarogya Setu app from the device by long pressing the icon > uninstall method, only the legitimate app is removed, while the malicious app would still be available on the device. The only way to remove the malicious app is to remove it from settings > apps > uninstall. This trick has the potential to fool several users who are not vigilant.

The research team observed that some of these malicious apps are piggybacked on the legitimate Aarogya Setu app in the resources folder.

Resources is a system folder which is used to store the values for the details and permissions of apps in the Android OS.

These malicious apps install the legitimate app in the background, a technique used to fool the user into believing that the user installed the legitimate app. In reality, the malicious app executes its criminal functions in the background.

There are a number of fake apps that re-brand the Aarogya Setu icon and application name. In this case, the app is shown as the legitimate Aarogya Setu along-side the legitimate app. Upon execution, users do not see any activity on the screen. However, after some time, the app icon disappears from the app drawer.

Another fake app being shown as an Aarogya Setu Add-on app, is not an official application. As the user installs and executes the app, it requests for the Device-Admin privileges and permission for installation from this source. To look less suspicious to the user, it also installs the official, legitimate Aarogya Setu App from its resource folder.

In this case, the malware author has successfully duplicated the official Aarogya Setu icon. Basis the icon, identification of this malicious app is difficult. In most cases, the common element was the containment of spyware capabilities. All these apps contain code that is like the Android spyware SpyNote which can make phone calls, recording audio, send SMS, take pictures and record videos from the camera, and start the spyware every time the device reboots.

“As the Aarogya Setu App gained popularity in India, it became a target for malware creators. With increasing cyberthreats it appears that cybercriminals are working overtime to create dissonance among mass app users. We advise Android users to exercise maximum caution while downloading and using the Aarogya Setu App,” said Debasish Mukherjee as VP, Regional Sales - APAC at SonicWall.