Corona Updates

Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.[1]

ID: S0425
Associated Software: Wabi Music, Concipit1248
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 24 April 2020
Last Modified: 30 April 2020

Associated Software Descriptions

Name Description
Wabi Music [1]
Concipit1248 [1]

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

Corona Updates can collect the device’s call log.[1]

Mobile T1432 Access Contact List

Corona Updates can collect device contacts.[1]

Mobile T1517 Access Notifications

Corona Updates can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.[1]

Mobile T1429 Capture Audio

Corona Updates can record MP4 files and monitor calls.[1]

Mobile T1512 Capture Camera

Corona Updates can take pictures using the camera and can record MP4 files.[1]

Mobile T1412 Capture SMS Messages

Corona Updates can collect and send SMS messages.[1]

Mobile T1533 Data from Local System

Corona Updates can collect voice notes, device accounts, and gallery images.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

Corona Updates has been distributed through the Play Store.[1]

Mobile T1430 Location Tracking

Corona Updates can track the device’s location.[1]

Mobile T1437 Standard Application Layer Protocol

Corona Updates communicates with the C2 server using HTTP requests and has exfiltrated data using FTP.[1]

Mobile T1426 System Information Discovery

Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer.[1]

Mobile T1422 System Network Configuration Discovery

Corona Updates can collect device network configuration information, such as Wi-Fi SSID and IMSI.[1]

References