SMS phishing campaign injects malware into users’ smartphones for COVID-19 vaccines

Cybersecurity specialists report that a fake SMS message to register to a waiting list to receive the COVID-19 vaccine is being sent to multiple Android users in order to access the contact list of the compromised device and potentially steal sensitive information.

This campaign was initially reported in some locations in India and has already been reported to local authorities. However, experts believe this attack could spread to other territories in India and even to other countries: “A fake SMS message has been reported to circulate that claims to offer an application that allows users to register for the COVID-19 vaccine in India,” the report states.

“This SMS carries a link that installs a malicious app on the affected devices and then deploys malware across all vulnerable areas of the system,” the researchers in charge of the report said. These reports reached the Indian government agency specializing in cybersecurity.

Experts add that the app also obtains arbitrary permissions that hackers could exploit to obtain sensitive data, including contact lists of affected users. On the identified variants of this malicious application, experts point out that the campaign uses the Covid19.apk; Vaci__Regis.apk; MyVaccin_v2.apk; Cov-Regis.apk and Vccin-Apply.apk.

Indian cybersecurity authorities asked users to remain alert to any phishing attempts using the coronavirus health emergency as an excuse. As part of measures to verify such malicious attempts, users were advised to prevent the installation of apps from sources outside the Google Play Store, as well as to prevent visits to websites of dubious reputation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.