CovidLock
From Wikipedia, the free encyclopedia
| CovidLock | |
|---|---|
| Malware details | |
| Technical name | trojan.locker/andr |
| Classification | Ransomware |
| Cyberattack event | |
| Date | March 2020 |
| Technical details | |
| Platform | Android |
| Written in | Java |
CovidLock is an Android-based ransomware built with Java used in a ransomware campaign during the height of the COVID-19 pandemic that would pretend to be a coronavirus tracking tool which would ask for administrator permissions and accessibility permissions which would be used to lock the user from using their phone.[1] It is one of the many apps that have used COVID-19 to spread itself with social engineering.[2]
The ransomware was spread through an APK file on a website which was created in March 2020 claiming to track coronavirus infections and could only be installed through Android side-loading since the application was not on Google Play.[3][4] When the app is ran, it asks for administrator permissions and accessibility permissions while maintaining persistence through BOOT_COMPLETED which would allow the app to startup after every device boot.[5] After the user gives the permissions needed and clicks the "Scan Area For Coronavirus" button the app will change the screen to a ransom message asking the user to pay USD$100 to a Bitcoin address threatening to leak every photo and video the user has taken to everyone in their contact list and also delete all the contacts, videos, images, messages and other personal information on the device in 48 hours.[6][7] The Bitcoin address which is needed to send the funds isn't hardcoded into the application's code and is instead shown on an anonymous Pastebin post which the user is redirected to through a bit.ly link, though the actual decryption key that is needed is hardcoded into the application's code as "4865083501" which, when used, tells the user their phone is now decrypted.[8][9]
Another Pastebin ransom note from the ransomware instead asked for US$250 instead of just 100.[10]
Reactions
The Cybersecurity and Infrastructure Security Agency of the United States issued a warning of the app CovidLock and others that exploit the fear mongering of the coronavirus.[11]
References
- ↑ Wang, Liu; He, Ren; Wang, Haoyu; Xia, Pengcheng; Li, Yuanchun; Wu, Lei; Zhou, Yajin; Luo, Xiapu; Sui, Yulei; Guo, Yao; Xu, Guoai (2021). "Beyond the virus: a first look at coronavirus-themed Android malware". Empirical Software Engineering. 26 (4): 82. doi:10.1007/s10664-021-09974-4. PMC 8196937. PMID 34149303.
- ↑ Hodge, Rae (2020-07-13). "Coronavirus scams: How to protect yourself from identity theft during COVID-19". CNET. Retrieved 2025-11-26.
- ↑ Modlin, Amber; Gregory, Andrew; Odebode, Iyanuoluwa; Hodson, Douglas D.; Grimaila, Michael R. (2021). "CovidLock Attack Simulation". In Arabnia, Hamid R.; Deligiannidis, Leonidas; Grimaila, Michael R.; Hodson, Douglas D.; Joe, Kazuki; Sekijima, Masakazu; Tinetti, Fernando G. (eds.). Advances in Parallel & Distributed Processing, and Applications. Transactions on Computational Science and Computational Intelligence. Cham: Springer International Publishing. pp. 25–34. doi:10.1007/978-3-030-69984-0_3. ISBN 978-3-030-69984-0.
- ↑ Stone, Jeff (2020-03-16). "A coronavirus-tracking app locked users' phones and demanded $100". CyberScoop. Retrieved 2025-11-26.
- ↑ Desai, Shivang (2020-03-16). "Android Ransomware Walkthrough and How to Unlock". Zscaler. Retrieved 2025-11-26.
- ↑ Kvn, Rohit (2020-03-17). "Ransomware alert: Hackers using fake coronavirus tracker app to lock Android phones". Deccan Herald. OCLC 185061134. Retrieved 2025-11-26.
- ↑ Villas-Boas, Antonio (2020-03-16). "A fake coronavirus tracking app is actually ransomware that threatens to leak social media accounts and delete a phone's storage unless a victim pays $100 in bitcoin". Business Insider. OCLC 1076392313. Retrieved 2025-11-26.
- ↑ Anderson, Chad; Saleh, Tarik; McNee, Sean M. (2021). "Discovering CovidLock". Cyber Security. 5 (1): 27–36. doi:10.69554/ECYY5546.
- ↑ Barth, Bradley (2020-03-16). "Password found to rescue victims of malicious COVID-19 tracker app". SC Media. Retrieved 2025-11-26.
- ↑ "CovidLock Ransomware: In-Depth DomainTools Research". DomainTools. 2020-03-16. Archived from the original on 2025-08-10. Retrieved 2025-11-26.
- ↑ "COVID-19 Exploited by Malicious Cyber Actors". Cybersecurity and Infrastructure Security Agency. 2020-04-08. Retrieved 2025-11-26.