How COVID-19 Is Driving The Spread Of New Mobile Scams

While the coronavirus pandemic continues to grip the world, fraudsters are stoking another kind of outbreak – using fear as a hook to pull users towards malicious
apps and websites. Some estimates suggest more than 3% of the coronavirus information
websites that have popped-up since the beginning of the year contain malicious content.

A host of new COVID-19-themed attacks targeting mobile users
have popped-up in the last few weeks.

They attempt to lure unsuspecting victims into visiting bogus news sites,
clicking on deceptive links, or revealing personal and financial information over the phone.

We’ve gathered some of the most common coronavirus mobile frauds below,
along with advice on how you can avoid getting caught in the expanding pandemic scam-net.

Tricking Users Into Giving Up Their Personal Data

Fraudsters are offering free pandemic news apps to try and trick people
into giving them information.

While they aren’t available in official mobile marketplaces like the iOS App
Store or Google Play, the apps are still able to entice users by offering access to ‘secret
’ COVID-19 news or unofficial medicines and therapeutic recipes.

One recent malware attack hijacked the DNS settings for home routers to
make web browsers display alerts for a fake COVID-19 information app, purportedly
from the World Health Organization (WHO).

In reality, the app was little more than a delivery mechanism for
the Oski data harvesting virus.

Criminals are also copycatting government-sanctioned mobile apps that
help citizens track the spread of symptoms and infections. By taking advantage of inconsistencies
in the apps’ release schedules, fraudsters have been able to convince users to
add malicious updates that contain backdoors for malware.

Phishing Scams And Bad Attachments

With so much news about the pandemic landing every day,
phishing attacks that exploit fear and hunger for information are also on the rise.

Fraudsters are sending emails offering privileged information about
the coronavirus from what appear to be legitimate organisations. Recipients
just have to ‘click the link’ or open an attachment to see the news, which activates a
download of malicious software to their device.

Workplace email accounts have also been targeted as employees expect to
receive coronavirus-related updates from their employers, and inherently trust
communications that look like they’ve been sent by their own company.

Subjects like ‘Offices to close until April 3rd’ are, understandably,
proving to be irresistible to many employees, who do as they’re told in the email
and click to open the ‘attached instructions.’

More Home Working Creates More Opportunities For Hackers

The sudden mass shift to home working is also widening the attack surface
for cybercriminals. IT departments are under pressure to relax security policies while
first-time remote workers get their PCs up and running for access to company
systems from outside the corporate network.

Additional permissions have to be granted, for example, to enable use of USB devices, register employees’ personal devices on the network, or provide local administrator privileges.

Searching For Distraction. Finding Malware

Country-wide lockdowns and restrictions on movement mean everyone is spending more time at home. With shops, restaurants, gyms, cinemas and theatres all shut, people everywhere are looking for new ways to be entertained. Gaming platforms are busier than ever, and many people are trying out new apps like puzzles & quizzes, comedy videos, and other kinds of time-killing light entertainment.

But as great as mobile devices are at distracting us from boredom, smartphone users need to be extra careful.

At Secure-D we’ve recently observed an uptick in malicious “leisure” apps on Google
Play Store like Atlas Box, Puzzle Addict, and Video Lounge. These apps offer free entertainment
but in reality they’ve been created to trick users into subscribing to premium services.

COVID-19 Mobile Do’s And Don’ts

Common sense counts for a lot in cybersecurity, but in exceptional times
you need to be extra vigilant. Here is an anti-scam checklist to help keep you safe:

Definitely Don’t …

… panic if you believe you have given away sensitive information like a username or password by mistake. Immediately change them on any site where you have used them
… trust messages that attempt to gather personal information
… respond to telephone requests for personal or financial information
… reuse passwords across multiple accounts and devices

But Definitely Do …

Report a scam immediately if you see one
Start using the ‘strong’ passwords web browsers, like Safari, now create automatically
Check all the links in any emails you receive before clicking, and make sure they look legitimate
Take extra care when answering incoming calls
Read the sender’s email address (not just their name) to make sure the email address looks right
If an email or text message asks for sensitive information or payment – double check it
Install the most recent security updates for your browser, mobile devices, and PC
Only install applications you are 100% certain come from legitimate sources
Make sure you review the ratings and requested permissions for any application install
And finally: Always (always!) think twice before you click.

lab.secure-d.io