Malicious APKs share code during Covid-19 pandemic

Written by Intezer

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    Threat actors are exploiting fear and uncertainty to spread Covid-19 themed malicious Android package kits (APKs) onto users’ mobile devices. APKs pose a significant risk to end users because of the sensitive personal information and credentials stored on mobile devices.

    We analyzed a popular APK to see if it shares binary code with other Android malware. This particular sample copies significant portions of code from previous Cerberus, Anubis and Ginp variants. Code reuse appears to be an ongoing trend among malicious Android applications.

    Update as of April 20
    We have been monitoring a high number of malicious APK samples reported on Twitter. For instance, this tweet from MalwareHunterTeam indicating a fake APK alleging to be sponsored by the Turkish Ministry of Health:

    Or this example of “Covid.apk” –

    Here is another example –

    Many of these samples had low detections upon initial upload to VirusTotal, including this fake media player application which had only four detections –

    Four Detections

    We analyzed the APK using Intezer Analyze which classified the threat to Cerberus:

    We analyzed the APK using our genetic analysis platform, Intezer Analyze, which immediately classified the threat to Cerberus

    This application is clearly malicious, as seen under the Dalvik Code Reuse section, because it shares the majority of its code with previous Cerberus, Anubis and Ginp variants.

    The main connection here is to Cerberus, a banking trojan that attempts to steal the victim’s banking credentials. Cerberus recently underwent an upgrade and is now being shipped with full RAT functionality. The malware can provide its operator with full access to the storage of the infected device. Because this particular application shares 124 genes (or 31.23%) of its code with Cerberus, we can understand that it is a new variant.

    MediaPlayer.apk has a strong genetic connection to Anubis, an Android malware which source code leaked in 2019, and is being used by adversaries to develop future Android threats.

    We also see shared code with Ginp, which is another APK malware and which shares code with Anubis, as seen from the analysis report. The connection between Ginp and Anubis has been documented in the past and is easy to spot in Intezer Analyze.

    Intezer Analyze supports genetic analysis for Android applications 
    As threat actors continue to exploit fear and uncertainty to spread malware via Covid-19 themed apps, try uploading them to the free community edition to detect malicious APKs and better understand the origins of these threats.

    This is a beta feature so please help us improve by sharing your feedback. If you receive an analysis that you think can be improved, let us know by clicking on the report analysis button in the upper right corner of Intezer Analyze.


    Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.

    Interactive Sandboxing is almost here!Interactive Sandboxing is almost here! Get early access
    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt