- An SMS worm claiming to help users in India book a slot to get the COVID-19 vaccine is making the rounds.
- The malicious app link being circulated over text messages enables authorised access to private accounts, exposes personal data and has the ability to delete data without the victims knowledge.
- New variants of SMS worms are rare, but this one — and its cousins — all seem to have been created by the same developer, according to an investigation conducted by cyber risk assessment firm Cyble.
The official CoWIN mobile app has
, which has forced users in India to
to check for available vaccination slots or even simply register for the vaccine.
While there are many solutions helping genuinely, there are others who may not necessarily be looking out for the ‘greater good’ — like a new SMS worm promising to book a vaccination slot for you, but infecting your device with malware instead. So far, the penetration seems to be limited to Android users.
The SMS worm is capable of enabling unauthorised access to private accounts, using the device for activities unaware to the user of the smartphone, exposing personal data and deleting data without the user’s knowledge.
This means accessing Twitter and Facebook accounts, peeping into your photo gallery and contact list, deleting documents you may have wanted to keep around for a little bit longer and eating up your data — which can be particularly painful if you have limited data per day.
The issue was initially brought to light by Malware researcher
. It was then also confirmed by Australian cyber risk assessment firm
“Our investigation indicated that this malware campaign is currently targeting India as the country struggles with the ongoing onslaught of the pandemic,” said Cyble in its report.
A mysterious developer is creating similar apps with the same end goal
Cyble tried to track down the source of the fake app and found numerous abandoned repositories on Twitter. They list other apps that are similar but with different names. The end goal is the same for all of them — get the same permissions and enter from the same point.
According to the investigators, it is likely that the same developer is behind all of these apps.
“New variants of SMS worms for Android do not appear very often, and this particular variant is an interesting piece of malware and part of a unique attack,” said Cyble in its report. In addition to tricking people into installing the SMS worm and accessing sensitive information, there is also a direct monetary cost of this whole exercise on the victim.
Since the worm is automatically sending messages to people on the victim’s contact lists, it could use up their balance depending on their phone plan — without the victim’s knowledge.
How does the COVID-19 SMS malware work?
Users receive an SMS containing a malicious link that leads to a seemingly genuine website. Once an unsuspecting user clicks on the link, the worm’s code is now ready to execute on the device — that is, the smartphone has now been infected.
Moreover, the malware sends a copy of itself to everyone on that person’s contact list.
Some of the suspicious activities spotted include checking for devices that are connected to the phone through Bluetooth, sending text messages using SMS Manager, checking the status of the user’s SIM card and sending out queries around phone contact information.