While the coronavirus pandemic continues to grip the world, fraudsters are stoking another kind of outbreak – using fear as a hook to pull users towards malicious apps and websites. Some estimates suggest more than 3% of the coronavirus information websites that have popped-up since the beginning of the year contain malicious content.
A host of new COVID-19-themed attacks targeting mobile users have popped-up in the last few weeks.
They attempt to lure unsuspecting victims into visiting bogus news sites, clicking on deceptive links, or revealing personal and financial information over the phone.
We’ve gathered some of the most common coronavirus mobile frauds below, along with advice on how you can avoid getting caught in the expanding pandemic scam-net.
Tricking Users Into Giving Up Their Personal Data
Fraudsters are offering free pandemic news apps to try and trick people into giving them information.
While they aren’t available in official mobile marketplaces like the iOS App Store or Google Play, the apps are still able to entice users by offering access to ‘secret’ COVID-19 news or unofficial medicines and therapeutic recipes.
One recent malware attack hijacked the DNS settings for home routers to make web browsers display alerts for a fake COVID-19 information app, purportedly from the World Health Organization (WHO).
In reality, the app was little more than a delivery mechanism for the Oski data harvesting virus.
Criminals are also copycatting government-sanctioned mobile apps that help citizens track the spread of symptoms and infections. By taking advantage of inconsistencies in the apps’ release schedules, fraudsters have been able to convince users to add malicious updates that contain backdoors for malware.
Phishing Scams And Bad Attachments
With so much news about the pandemic landing every day, phishing attacks that exploit fear and hunger for information are also on the rise.
Fraudsters are sending emails offering privileged information about the coronavirus from what appear to be legitimate organisations. Recipients just have to ‘click the link’ or open an attachment to see the news, which activates a download of malicious software to their device.
Workplace email accounts have also been targeted as employees expect to receive coronavirus-related updates from their employers, and inherently trust communications that look like they’ve been sent by their own company.
Subjects like ‘Offices to close until April 3rd’ are, understandably, proving to be irresistible to many employees, who do as they’re told in the email and click to open the ‘attached instructions.’
More Home Working Creates More Opportunities For Hackers
The sudden mass shift to home working is also widening the attack surface for cybercriminals. IT departments are under pressure to relax security policies while first-time remote workers get their PCs up and running for access to company systems from outside the corporate network.
Additional permissions have to be granted, for example, to enable use of USB devices, register employees’ personal devices on the network, or provide local administrator privileges.
Searching For Distraction. Finding Malware
Country-wide lockdowns and restrictions on movement mean everyone is spending more time at home. With shops, restaurants, gyms, cinemas and theatres all shut, people everywhere are looking for new ways to be entertained. Gaming platforms are busier than ever, and many people are trying out new apps like puzzles & quizzes, comedy videos, and other kinds of time-killing light entertainment.
But as great as mobile devices are at distracting us from boredom, smartphone users need to be extra careful.
At Secure-D we’ve recently observed an uptick in malicious “leisure” apps on Google Play Store like Atlas Box, Puzzle Addict, and Video Lounge. These apps offer free entertainment but in reality they’ve been created to trick users into subscribing to premium services.
COVID-19 Mobile Do’s And Don’ts
Common sense counts for a lot in cybersecurity, but in exceptional times you need to be extra vigilant. Here is an anti-scam checklist to help keep you safe:
Definitely Don’t …
- … panic if you believe you have given away sensitive information like a username or password by mistake. Immediately change them on any site where you have used them
- … trust messages that attempt to gather personal information
- … respond to telephone requests for personal or financial information
- … reuse passwords across multiple accounts and devices
But Definitely Do …
- Report a scam immediately if you see one
- Start using the ‘strong’ passwords web browsers, like Safari, now create automatically
- Check all the links in any emails you receive before clicking, and make sure they look legitimate
- Take extra care when answering incoming calls
- Read the sender’s email address (not just their name) to make sure the email address looks right
- If an email or text message asks for sensitive information or payment – double check it
- Install the most recent security updates for your browser, mobile devices, and PC
- Only install applications you are 100% certain come from legitimate sources
- Make sure you review the ratings and requested permissions for any application install
And finally: Always (always!) think twice before you click.