Privacy and data security could be attacked by cyber-criminals accessing unsecured official Coronavirus Android apps.
Privacy and security of people’s data could be compromised from attack because of poor security practices in official Coronavirus Android apps.
Researchers at Zerofox ascertained there are several vulnerabilities in apps designed to track infections in the population. In a report, researchers analysed a number of apps from governments in various parts of the world.
3 apps from different countries. where security was lacking were highlighted. An app produced by the Iranian government, and available through an app store called CafeBazaar, was harvesting personal information & tracking citizens instead of giving information on Covid-19.
An impostor application “CoronaApp” was also found and was available for direct download at `coronaapp[.]ir`. This unofficial download website is linked in multiple news websites, Telegram groups and social network posts. How it arrived there & how far it was distributed is unknown.
“This is especially harrowing because the application is not on the Google Play store, which provides application vetting processes. However, because the country is under sanction and most Iranians cannot access the Google Play store, they are thus vulnerable to unvetted COVID-19 mobile apps that some malicious developers can use to their advantage,” explained the researchers.
In Columbia, the CoronApp-Colombia app was supposedly designed to help people with tracking symptoms related to COVID-19. However, it seems that the app contained a number of vulnerabilities that then went on to affect the privacy of more than 100,000 users.
“The current version of CoronApp-Colombia on Google Play (1.2.9 as of 25 Mar 2020) uses Insecure Communication with the API server throughout the app workflow,” warned researchers. A hardcoded value uses HTTP rather than a more secure method like HTTPS, for API server communications.
In Italy, some apps aimed at various regions in the country indicates that hackers have taken advantage of the situation & launched malicious fake apps with backdoors.
“A greater number of government-sanctioned applications causes users to be less certain of which Covid-19 mobile apps are legitimate. Threat actors have taken advantage of this confusion, and have released malicious applications, like this backdoored app, to prey on users who may mistakenly download the malicious app,” cautioned researchers.
Covid-19 mobile apps
“To prevent this and protect their citizens, it is highly important that governments ensure consistency with where Covid-19 mobile apps are able to be downloaded, and even with their appearance.”
Niamh Muldoon, senior director of Trust and Security at OneLogin, emphasised that It is vital that apps like this containing individuals’ most sensitive health data are designed with both security and privacy as a priority.
Rigorous security testing
“Bear in mind that more rush can also lead to less speed. Rigorous security testing is needed prior to an app like this going into production and being released for public usage. Not designing security and privacy into the app could result in security and privacy holes,” she said.
Fabian Libeau, EMEA VP at RiskIQ has commented that security teams need a solution that helps them to quickly find, analyse, and mitigate any mobile threats that may affect their official, unofficial, and rogue mobile apps, and take very urgent corrective action with app stores from inside the platform.
“By discovering apps across hundreds of mobile app stores and monitoring them for malware or compromise, security personnel can maintain a secure mobile presence as well as the trust of their customers and prospect,” he observed.
The watchword is ‘caution’. The very words ’Covid-19’ which spell out death & misery for most of the world, appear to spell out ‘bonanza’ & ‘payday’ for hackers & malign players, whose activities to take advantage amid a crisis of global proportions can best be described as ‘truly evil’.