Researchers at DomainTools have identified a malicious domain (coronavirusapp[.]site) that is used to trick victims into downloading a malicious Android app. While this app claims to provide real-time tracking and statistics about the Coronavirus outbreak, in reality, the only thing this app provides is a family of ransomware dubbed “CovidLock.”
By forcing a password change, CovidLock is able to prevent victims from accessing their phones. This is known as a screen-lock attack. Currently, the operators are requesting $100 in bitcoin, with a 48-hour deadline to pay. If the extortion is not paid in time, the threat actors behind the malicious app threaten to delete data from the victim’s device and publicly leak private information from social media accounts.
Binary Defense recommends only downloading Android apps from the Google Play store. This will help reduce the risk of untrusted third-party developers. To prevent screen-lock attacks from working, simply set a device password ahead of time. If a password is set on Android Nougat, ransomware that attempts to change this password will not work. DomainTools’ security research team has reverse-engineered the malware to recover the decryption keys, which will be released shortly.