April 10, 2020

Security, Privacy Issues Found in Government COVID-19 Mobile Apps

Governments worldwide have released COVID-19 mobile apps to provide citizens with useful information and, in some cases, to track individuals in an effort to contain the coronavirus outbreak.

An analysis of dozens of nation and government-sponsored mobile applications for Android released to help with the current COVID-19 pandemic has revealed the existence of privacy risks, vulnerabilities and backdoors, ZeroFOX says in a post highlighting three of the analyzed apps.

The first of these apps is the official COVID-19 application that the Iranian government released. Available since early March, it was designed to track citizens and harvest personal information — two features that raise privacy concerns — all without providing information on the pandemic.

An imposter app that copies the government-sanctioned app was also identified. Dubbed CoronaApp, it is available for download at ‘coronaapp[.]ir’, a website that multiple news sites, Telegram groups, and social network posts link to.

The unofficial application requests access to the user's location, camera, Internet data, system information, and the ability to write to external storage. Despite asking for these permissions, the application does not appear to engage in malicious behavior.

According to the ZeroFOX security researchers, the risk posed by this application is high, especially since Iran is a country under sanction and Google Play is not accessible to most Iranians, which means that the official protection mechanisms included in the app store are not available for them.

CoronaApp’s developers claim that the app was built with support from the Iranian government, although there is no reputable evidence to confirm that. The legitimacy of the claims in the news articles linking to the app’s download website could not be verified either, and the security researchers are confident that the app could be abused in the future.

Another app that puts user privacy at risk is the official CoronApp-Colombia application, meant to help individuals in Colombia track symptoms related to COVID-19. Available through Google Play, the app requests permissions to access location, read phone states, and read contacts, but is not malicious.

However, vulnerabilities in the app were found to impact more than 100,000 users, ZeroFOX reveals. Specifically, the app would only use HTTP for communication, although both personal health information (PHI) and personally identifiable information (PII) are being transmitted, exposing the data to man-in-the-middle attacks.

Data transmitted in clear text included names, document_type (which can include passports and other registration numbers), emails, passwords, gender, and race. However, the issue was addressed in late March, after Colombia CERT was alerted on the matter.

The security researchers also identified 12 APKs related to a campaign which involved a repackaged, backdoored application targeting Italian citizens. All of these APKs had the same signing certificate and issuer details.

Italy is using regional COVID-19 apps instead of a single national application. One of these regional apps, for which its developers released a beta version, has been recompiled with a backdoor.

“The backdoor is present when the Android app receives a BOOT_COMPLETED intent, which is sent to any COVID-19 mobile apps that have this permission enabled when the phone boots, or when the app is opened,” ZeroFOX says.