Cybersecurity researchers have uncovered a malware campaign targeting Syrian citizens that uses Covid-19 to lure users into installing apps onto their phones that are then used to spy on them.

Discovered by researchers from cybersecurity company Lookout and detailed in a blog post published today, the campaign is thought to be being conducted by threat actors with nation-state backing, meaning they are acting on behalf of the Syrian government.

The surveillance malware, also known as surveillanceware, was found across 66 different malicious apps for Android. None of these were available via the Google Play Store, but instead are likely to have been distributed via third-party websites and app stores.

While all were presented to would-be installers as related to the Covid-19 coronavirus, only some of the apps targeting Syrian citizens contained functional applications. One which did was a prank app that claimed to test the user’s temperature, only to always show it as 35°C.

These were created using commercially available surveillanceware, which has been purchased and customised to give it a coronavirus theme and encourage its installation and use.

“Commercial surveillanceware like SpyNote, which makes up the majority of samples in this campaign, are customisable,” said Kristin Del Rosso, security research engineer at Lookout.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“The actor can make the app name and icon whatever they please.  Sometimes, they even include functional applications inside the malicious app so the user is not suspicious, like with the Covid-19 temperature reading application.

“In other samples however, the actor did not include any useful functionality, so the application just spies on the user in the background.”

Syrian government using Covid-19 malware to support internet censorship

The surveillanceware campaign is thought to be latest effort by the Syrian government to censor citizens, particularly those acting against it.

“Based on past activity from this suspected actor, and the typical modus operandi of nation-state attacks, it is plausible that the goal is to spy on Syrian political activists,” said Del Rosso.

“Syria has an extensive history of internet censorship, and has gone as far as shutting down the country’s internet in 2011 and 2013.

“The pro-government hacking group, the Syrian Electronic Army, who is likely behind this mobile campaign, has repeatedly hacked websites to post pro-Assad messages, and retaliated against sites that did not cover him favourably.  In the past, this group has targeted journalists and human rights activists that did not agree with the government, so this type of campaign is not unprecedented.”

The Covid-19-themed malware currently being used to target citizens is the latest iteration in a years-long campaign that is designed to spy on Syrian citizens, with the threat actor thought to be taking advantage of the desire for information about the coronavirus to encourage users to install the infected apps.

“The campaign has been active for years, but it only started recently taking advantage of the current media coverage around coronavirus to use it as the newest lure,” explained Del Rosso.

“Older samples from this campaign impersonated a variety of applications that might be of interest to potential targets, so it makes sense that the newest applications are prey on the fears of this health crisis, so that they have a higher chance of being downloaded.”

And while this campaign is only thought to be targeting Syrian citizens, Del Rosso does anticipate similar malware campaigns that take advantage of Covid-19 interest to be enacted in other parts of the world.

“We’ve seen similar campaigns run in multiple countries for years, especially in regions with less protections around freedom of press and free speech.”

Read more: Ten-year Chinese hacking operation targets Linux servers

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up