Beyond the Virus: A First Look at Coronavirus-themed Mobile Malware

As the COVID-19 pandemic emerges in early 2020, a number of campaigns have started capitalizing the topic. Although a few media reports mentioned the existence of coronavirus-themed mobile malware, the research community lacks the understanding of the landscape of the coronavirus-themed mobile malware, and there is no publicly accessible dataset that could be utilized to boost the related research. In this paper, we present the first systematic study of coronavirus-themed mobile malware. We first make efforts to create a daily growing COVID-19 themed mobile app dataset, which contains $2,016$ COVID-19 themed apps and $277$ malware samples by the time of May 26, 2020. We then present an analysis of these apps from multiple perspectives including popularity and trends, installation methods, malicious behaviors and malicious campaigns. We observe that the growth of the number of COVID-19 themed apps is highly related to the number of confirmed cases of COVID-19 in the world. Most of them were released through distribution channels beyond app markets. A majority of the malicious apps (over 53%) are camouflaged as official apps using the same app identifiers and some of them use confusing similar app icons with the official ones to mislead users. Their main purposes are either stealing users' private information or making profit by using the tricks like phishing and extortion. Furthermore, we find that only 40\% of the COVID-19 malware creators are habitual developers who are active for a long time, while 60\% of them are new emerging ones in this pandemic and only released COVID-19 themed malware. The malicious developers are mainly located in US, mostly targeting countries including English countries, Arabic countries, Europe and China. To facilitate future research, we have publicly released all the well-labelled COVID-19 themed apps (and malware) to the research community.