McAfee sees surge in mobile malware targeting COVID-19 vaccines

With most of the world still anxious about COVID-19 and demand for vaccines high, new McAfee research sheds light on how hackers are targeting these fears with bogus apps, text messages, and social media invitations.

Over the past year, the vaccine rollout has advanced at different rates across the globe, providing plenty of opportunities for hackers. McAfee Advanced Threat researchers found that hackers are hiding malware and malicious links inside fakes vaccination appointments and registration display ads. These have the potential to download malware onto a person’s device that displays unwanted ads, as well as activating accessibility features to give the hacker full device control, with the goal of stealing banking details and credentials. According to the research, some of these campaigns worryingly started as early as November last year, before any vaccines had officially been approved, while others continue to appear as countries roll out their vaccination programs in the fight against COVID-19.

The latest McAfee Mobile Threat Report 2021 highlights the following mobile threat trends:

COVID-related malware: According to the McAfee COVID-19 Dashboard, more than 90% of all pandemic-related malware took the form of Trojans. McAfee researchers found evidence of an SMS worm targeting Indian consumers, forming one of the earliest vaccine fraud campaigns. Both SMS and WhatsApp messages encouraged users to download a vaccine app and once downloaded, malware sent itself to everyone in the user’s contact list via SMS or WhatsApp. The malware behind this is the same family that was involved in India’s ban on the Tik-Tok app last July.
Billing fraud malware that makes purchases behind the backs of consumers: McAfee researchers have also uncovered new information on mobile malware dubbed Etinu. Targeting users in Southwest Asia and the Middle East predominately, Etinu was found being distributed via Google Play, with more than 700K downloads before being detected and removed. Once an app harboring this malware is installed via the Google Play Store, the malware steals incoming SMS messages using a Notification Listener function. It can then make purchases and sign up for premium services and subscriptions that get charged to the user’s account.
Hackers are using banking Trojans to target hundreds of financial institutions around the world: McAfee Mobile Security detected a 141% increase in Banking Trojan activity between Q3 and Q4 2020. Most Banking Trojans are distributed via mechanisms such as phishing SMS messages to avoid Google’s screening process. During its research, McAfee discovered Brazilian Remote Access Tool Android (BRATA) – a popular banking Trojan – that repeatedly managed to get onto the Google Play store and as a result, tricked thousands of users into downloads.

Burak Agca, Engineer at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company, says, "Across iOS, Android, enterprise, and personal devices Lookout data shows a 49% increase in the rate at which users are being exposed to phishing on mobile between the fourth quarter of 2020 and the first quarter of 2021. Between lockdown, furlough, elections, BREXIT and vaccinations, cybercriminals were afforded a broad range of social engineering topics. They used these events to tempt their victims into falling for phishing schemes leveraging social engineering to target their victims."

Agca explains Lookout data shows that almost one-third of mobile users globally were exposed to a phishing attack in 2020., and of those encounters, Lookout also observed that 85% of mobile phishing attacks intended to deliver mobile malware such as spyware, banking trojans, surveillanceware, or stalkerware to the target’s smartphone or tablet.

"Successfully delivering these types of mobile malware allow attackers to silently observe everything that smartphone or tablet does and exfiltrate sensitive data," Agca says. "Smartphones and tablets don’t have the same security tools and protections as traditional endpoints like desktops and laptops. It’s harder to spot a phishing attack on mobile than it is on a desktop. Since mobile devices have smaller screens and a simplified user experience, people are less inclined to verify the sender’s real email address or identity. Being phished through social media or SMS on the same device you use for work could compromise your work data just as much as your personal data. Many phishing-related mobile malware spread through SMS or other messaging platforms, spamming the contact lists of infected devices. This results in widely spread campaigns that are more likely to succeed as the source of the phishing link is an acquaintance or friend."