A phishing campaign targeting Android users has been detected and analyzed by the specialized media Cyberguerre, vertical of Numerama. In particular, the hackers sent a fake SMS pretending to be the government, prompting those targeted to download the TousAntiCovid application… which is in fact a banking malware.
If you have received an SMS from the government on your Android phone after Wednesday, December 2, 2020, then vigilance is required. Because a phishing campaign is currently raging in France, as revealed by the cybersecurity vertical of Numerama, Cyber warfare. In one tweet published on Friday, December 4, the TousAntiCovid twitter account announces that its SMS campaign has been closed since Wednesday.
However, several people have in the meantime received a suspicious message inviting them to download the TousAntiCovid mobile application. A message that looks like two drops of water to that of the government recently sent to the French. But on taking a closer look, a few small differences can be highlighted.
A very similar SMS
In the first place, the URL address indicated in the fraudulent message arouses mistrust: it indeed corresponds to a shortened link Bit.ly, against the address “http://bonjour.tousanticovid.fr” normally sent by the State. . The shortened link includes the mention “AntlCovid19” to resemble the name of the application as closely as possible, notes CyberGuerre.
Problem: the “i” of “Anti” has been replaced by a lower case “l” necessarily similar. A common technique, which can also be used with the letters “rn” to simulate an “m”. Another notable difference is the name of the recipient: “GOUV.FR” in this case, against “Gouv.fr” used by the official authorities. These are small details, of course, but which can just fool ordinary people.
The malicious URL then leads to a web page with an interface very similar to the official website, with a so-called downloadable app on it which is actually an APK file named tousanticovid.apk. Except that only owners of an Android smartphone are entitled to it, while the official application is compatible with both Android and iOS devices. Again, this reinforces suspicions of fraud.
Very sophisticated banking malware
The file in question is in fact a malicious program which invites you to deactivate Google Play Protect in order to intrude into your mobile device and collect a large amount of data … especially banking. Because according to Maxime Ingrao, researcher specializing in Android at Evina contacted by CyberGuerre, the virus in question is a malware sophisticated banking system capable of stealing your dedicated information.
From your username to your password through the two-way authentication SMS, the virus captures all the data necessary to achieve its ends. Harvesting those from your Facebook or WhatsApp accounts is also not a problem. In the event of an infected phone, CyberGuerre recommends resetting your smartphone. The fraudulent site is still active at the time of this writing.