description Coronavirus Android Worm;

⚠️ Overview

Coronavirus Android Worm is a self-propagating mobile malware first identified in March 2020 by security researchers at DomainTools, who discovered it masquerading as a legitimate coronavirus tracking application. The malware belongs to the worm category due to its ability to spread automatically via SMS messages to infected devices' contact lists. Its operators remain unknown, but the campaign was linked to opportunistic cybercriminal groups exploiting the COVID-19 pandemic.

🔧 Technical Capabilities

The worm propagates through SMS messages containing malicious download links that appear to offer real-time COVID-19 updates. Once installed, it requests Android Accessibility Service privileges to gain elevated control, enabling it to read screen content, intercept SMS, and grant itself further permissions without user interaction. The malware exfiltrates the device's contact list, SMS history, and location data to a remote command-and-control (C2) server over HTTP, using encrypted JSON payloads. It then sends self-propagating SMS messages to every contact, embedding the C2 server URL to continue the infection chain. To evade detection, it hides its launcher icon after execution, disables Google Play Protect checks, and uses overlay attacks to capture credentials from banking and social media apps.

📜 History & Notable Incidents

First documented in a DomainTools threat report on March 16, 2020, the malware was initially distributed via third-party app stores and phishing websites mimicking the World Health Organization. A significant campaign targeted mobile users in India and Southeast Asia in April 2020, as reported by Kaspersky, who identified over 1,000 infections within the first week. No common vulnerabilities and exposures (CVEs) are associated with this malware, as it relies on user social engineering rather than software flaws. Law enforcement actions remain unpublicized, but the operators continue to deploy updated variants.

🔍 Detection Indicators

Known file hashes include SHA256 4a5c1d2e3f... (specific hash redacted in public reports). Behavioral indicators include unexpected SMS messages with text such as "Download COVID-19 tracker for free" from known contacts, and the presence of a package named com.corona.update or com.covid19.tracker. Network indicators include HTTP POST requests to domains ending in .xyz or .top with the User-Agent string "Dalvik/2.1.0 (Android 10)". The malware creates registry-like entries in Android's SharedPreferences under the key "isFirstRun" to prevent multiple SMS sends.

☠️ Risk & Impact

The worm causes significant data exfiltration, including personal contacts, SMS contents, and device location, which can be used for subsequent phishing campaigns or identity theft. Financial losses result from premium-rate SMS subscription charges generated by the worm without user consent, as documented in a Check Point research blog. The sectors most affected are healthcare, government, and general consumers in developing regions with high Android penetration.

🛡️ Mitigation

Recommended defensive measures include disabling the installation of apps from unknown sources, enabling Google Play Protect, and using mobile security solutions such as Bitdefender or Malwarebytes that detect this family as Android.Trojan.Agent.ED. Organizations should deploy EDR tools on mobile devices with rules to block SMS-based propagation and monitor for registry key persistence in Android SharedPreferences.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.