CovidLock

Last updated
CovidLock
Technical name trojan.locker/andr
Classification Ransomware
Cyberattack event
DateMarch 2020
Technical details
Platform Android
Written in Java

CovidLock is an Android-based ransomware built with Java used in a ransomware campaign during the height of the COVID-19 pandemic that would pretend to be a coronavirus tracking tool which would ask for administrator permissions and accessibility permissions which would be used to lock the user from using their phone. [1] It is one of the many apps that have used COVID-19 to spread itself with social engineering. [2]

Contents

Operation

The ransomware was spread through an APK file on a website which was created in March 2020 claiming to track coronavirus infections and could only be installed through Android side-loading since the application was not on Google Play. [3] [4] When the app is ran, it asks for administrator permissions and accessibility permissions while maintaining persistence through BOOT_COMPLETED which would allow the app to startup after every device boot. [5] After the user gives the permissions needed and clicks the "Scan Area For Coronavirus" button the app will change the screen to a ransom message asking the user to pay USD$100 to a Bitcoin address threatening to leak every photo and video the user has taken to everyone in their contact list and also delete all the contacts, videos, images, messages and other personal information on the device in 48 hours. [6] [7] The Bitcoin address which is needed to send the funds isn't hardcoded into the application's code and is instead shown on an anonymous Pastebin post which the user is redirected to through a bit.ly link, though the actual decryption key that is needed is hardcoded into the application's code as "4865083501" which, when used, tells the user their phone is now decrypted. [8] [9]

Another Pastebin ransom note from the ransomware instead asked for US$250 instead of just 100. [10]

Reactions

The Cybersecurity and Infrastructure Security Agency of the United States issued a warning of the app CovidLock and others that exploit the fear mongering of the coronavirus. [11]

References

  1. Wang, Liu; He, Ren; Wang, Haoyu; Xia, Pengcheng; Li, Yuanchun; Wu, Lei; Zhou, Yajin; Luo, Xiapu; Sui, Yulei; Guo, Yao; Xu, Guoai (2021). "Beyond the virus: a first look at coronavirus-themed Android malware". Empirical Software Engineering . 26 (4). Springer Nature: 82. doi:10.1007/s10664-021-09974-4. ISSN   1573-7616. PMC   8196937 . PMID   34149303 via PubMed Central.
  2. Hodge, Rae (2020-07-13). "Coronavirus scams: How to protect yourself from identity theft during COVID-19". CNET . Retrieved 2025-11-26.
  3. Modlin, Amber; Gregory, Andrew; Odebode, Iyanuoluwa; Hodson, Douglas D.; Grimaila, Michael R. (2021). Arabnia, Hamid R.; Deligiannidis, Leonidas; Grimaila, Michael R.; Hodson, Douglas D.; Joe, Kazuki; Sekijima, Masakazu; Tinetti, Fernando G. (eds.). "CovidLock Attack Simulation". Advances in Parallel & Distributed Processing, and Applications. Cham: Springer International Publishing: 25–34. doi:10.1007/978-3-030-69984-0_3. ISBN   978-3-030-69984-0 via Springer Science+Business Media.
  4. Stone, Jeff (2020-03-16). "A coronavirus-tracking app locked users' phones and demanded $100". CyberScoop. Retrieved 2025-11-26.
  5. Desai, Shivang (2020-03-16). "Android Ransomware Walkthrough and How to Unlock". Zscaler . Retrieved 2025-11-26.
  6. Kvn, Rohit (2020-03-17). "Ransomware alert: Hackers using fake coronavirus tracker app to lock Android phones". Deccan Herald . OCLC   185061134 . Retrieved 2025-11-26.
  7. Villas-Boas, Antonio (2020-03-16). "A fake coronavirus tracking app is actually ransomware that threatens to leak social media accounts and delete a phone's storage unless a victim pays $100 in bitcoin". Business Insider . OCLC   1076392313 . Retrieved 2025-11-26.
  8. Anderson, Chad; Saleh, Tarik; McNee, Sean M. (2021). "Discovering CovidLock". Cyber Security. 5 (1): 27–36. ISSN   2398-5100 via Ingenta Connect.
  9. Barth, Bradley (2020-03-16). "Password found to rescue victims of malicious COVID-19 tracker app". SC Media. Retrieved 2025-11-26.
  10. "CovidLock Ransomware: In-Depth DomainTools Research". DomainTools . 2020-03-16. Archived from the original on 2025-08-10. Retrieved 2025-11-26.
  11. "COVID-19 Exploited by Malicious Cyber Actors". Cybersecurity and Infrastructure Security Agency . 2020-04-08. Retrieved 2025-11-26.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.