SingCERT warns of fake COVID-19 contact tracing apps containing malware

SingCERT warns of fake COVID-19 contact tracing apps containing malware

file photo phone woman 4
A person using a smartphone. (File photo: Xabryna Kek)

SINGAPORE: The Singapore Computer Emergency Response Team (SingCERT) on Friday (Jun 12) warned users about fake mobile applications that imitate official contact tracing apps meant to monitor and curb the spread of COVID-19. 

Such fake apps are usually embedded with malware that can be used to conduct malicious activities such as monitoring users' activities on their devices or stealing personal data, said SingCERT in an advisory.

Researchers from US cybersecurity firm Anomali have found 12 of such applications, including two in Singapore and others in Indonesia, India and Italy. 

"These apps, once installed on a device, are designed to download and install malware to monitor infected devices, and to steal banking credentials and personal data," said the firm on its website. 

The fake apps are likely being distributed through other apps, third-party stores and websites, Anomali added. 

READ: COVID-19: How smartphone apps can help with contact tracing

“Threat actors continue to imitate official apps to take advantage of the brand recognition and perceived trust of those released by government agencies,” said Anomali. 

“The global impact of the COVID-19 pandemic makes the virus a recognisable and potentially fear-inducing name, of which actors will continue to abuse. This research reveals a glimpse into some of the applications threat actors are actively distributing and there are likely numerous others in the wild that have not yet been detected.”

Contact tracing apps are being developed in many countries as part of efforts to monitor and control the COVID-19 pandemic.

In Singapore, authorities are encouraging the public to download the TraceTogether app, which works by exchanging Bluetooth signals between phones to detect other users who are in close proximity.

LISTEN: TraceTogether token and contact tracing apps: Privacy, data usage and other big questions

Records of these encounters will be stored locally in the users’ phones and they will only be required to share it when contacted by MOH as part of contact tracing investigations.

However, the app had limited take-up as it did not work efficiently on some devices.

READ: COVID-19: Govt developing wearable contact tracing device, may be distributed to everyone in Singapore

WATCH: Singapore companies begin using their own contact tracing apps

SingCERT advised users to avoid downloading fake and malicious apps to their devices by adopting measures such as:

  • Only downloading apps from the official Google Play Store and the iOS App Store
  • Checking the developer information on the application listing and only downloading apps developed and listed by the official developer
  • Paying attention to security permissions required by the applications and/or its privacy policy before downloading, and being aware of applications that ask for unnecessary permissions on the device
  • Looking through the application’s reviews and being wary of poorly reviewed applications

Users who have downloaded applications from unofficial stores are advised to delete them and to perform an anti-virus scan on their mobile phone.

If the application cannot be deleted, users should back up their data and perform a factory reset on the device to try and remove it, said SingCERT. 

BOOKMARK THIS: Our comprehensive coverage of the coronavirus outbreak and its developments

Download our app or subscribe to our Telegram channel for the latest updates on the coronavirus outbreak: https://cna.asia/telegram

Source: CNA/ga(hs)

Bookmark