Fake Android Coronavirus App Reveals iPhone Spyware Potential

Fake Android Coronavirus App Reveals iPhone Spyware Potential

A new spyware campaign that uses both cryptocurrency and coronavirus as lures may be ready to strike iPhone and Android users

Tom'sGuide took a closer look at the domain names and companies listed in Trend Micro's report and found information that blurs the line between legitimate online companies and possible criminal activity

Android spyware apps can steal Facebook messages, WhatsApp messages, text messages, contact lists, call history, photos, location and device information from infected phones

Although iOS apps have fewer information-stealing capabilities, Trend Micro believes that "apps may still be in development or in hiding, waiting for the 'right time' to inject malicious code"

Two of these apps are still available in both the Google Play and iOS app stores, but Trend Micro says the apparent malware "coding style suggests that the cybercriminals behind this campaign are amateurs" It noted

If you are an Android user, you will want to protect yourself with the best Android antivirus apps iPhone has no such antivirus software, but Apple told Trend Micro that iOS's "sandbox detects these malicious activities, can detect and block these malicious activities"

The app appears to originate from a company called Concipit 1248, whose website declares it to be "the first cashback platform on the blockchain" The company offers a white paper explaining its business model, and its executives appear to be of mixed Pakistani and Italian descent; Concipit 1248 appears to be based in Estonia, and its website appears to be perfectly legitimate

However, Concipit 1248 is associated with a website called Cashnowee (The best anti-virus software blocks access there)

Its subdomain is called "spycashnowee" and features a "V for Vendetta" mask with "Project Spy 201" and "Target Mr Anonymous It appears to be a full cybercrime site, including a flashy background animation that references "Anonymous

As a result, Trend Micro calls the entire operation "Project Spy

Concipit 1248 currently has two apps, Concipit 1248 and Concipit Shop, in both the Google Play and iOS app stores

The former has to do with the Ethereum cryptocurrency, while the latter appears to be a cash-back platform for online shopping Both apps' self-descriptions are a salad of trendy tech/business buzzwords

Trend Micro investigated the iOS version of the Concipit 1248 app and found it communicating with the "spywarecashnowee" server It is unclear whether Trend Micro investigated or was aware of Android versions of these apps

The unraveling of this threat thread began last month when Trend Micro investigated a fake Android app called "Coronavirus Updates"

Tom's Guide found Coronavirus Updates in the official Google Play store While we could not find it, Trend Micro's report suggested that the app had been there for some time

Coronavirus Updates, as mentioned above, steals all sorts of information from Android phones; like the Concipit 1248 app for iOS, it dials up and logs into the aforementioned "spycashnowee" server

Trend Micro discovered that "spywarecashnowee" was also used in previous Android spyware apps, including a music sharing app that appears to be a fake version of TikTok The app is no longer offered, but the developer was listed on Google Play as Concipit 1248

Registry information for both the "concipit1248com" and "cashnowee" domains is hidden in a privacy proxy, but Tom's Guide found the contact name and e-mail address for "cashnowee" listed with the Estonian domain registrar We found the email address ("EE" is the suffix for the Estonian top-level domain)

The contact name for "cashnowee" matches the name of the founder of Concipit 1248 as listed in the company's white paper, as well as the name of a 38-year-old man who is part of the management team of an Estonian company called CashNow

The contact email address apparently refers to Concipit 1248; Tom's Guide sent a message to the company seeking comment on Trend Micro's report

Trend Micro noted that "we will continue to monitor this campaign for further developments, as this is a group we have not observed before"

Tom's Guide must emphasize that these various companies and websites are perfectly legitimate and may not be involved in anything illegal; even the "spywarecashnowee" website may be a cynical joke But there is plenty of circumstantial evidence to suggest otherwise

Categories