A malicious domain (coronavirusapp[.]site) has been discovered that advertises an Android App that offers ‘real-time tracking’ of Coronavirus outbreaks with heat map visuals. It further entices potential victims by saying they can search addresses to see outbreaks near them.
When installed, a previously unseen variant of Android ransomware being named “CovidLock” is installed which performs a screen-lock attack that changes the password used to unlock the phone.
After locking the phone, it presents a ransom note saying the victims have 48 hours to pay $100 in Bitcoin before it wipes the phone’s pictures, videos, contacts, and memory. It goes further to say it will also publicly leak all social media accounts of the victim.
Android Nougat (7.0) has a built-in defense against screen-lock attacks, but the user must have already established a password to unlock the screen. Those who have not established a screen-lock password are still vulnerable to CovidLock.
As a reminder, users should only download applications from the Google Play Store as installing applications from any third-party store or source brings a higher risk for infection.