Beware of fake apps with malware mimicking TraceTogether

June 13, 2020

Fake apps that mimic Singapore's national contact tracing app TraceTogether have popped up online, prompting the local authorities to issue a warning.

In an advisory yesterday, the Singapore Computer Emergency Response Team (SingCert), a unit of the Cyber Security Agency of Singapore, said hackers are capitalising on an increased interest in contact tracing applications as countries progressively move out of their lockdown phase.

"These fake applications are usually embedded with Trojans or malware that, when executed, could be used to monitor users' activities on the device and/or steal their personal data," said SingCert.

The Straits Times understands that the fake apps have the same branding as the TraceTogether app, but contain malicious software designed to steal sensitive information such as passwords and banking details.

SingCert has so far not received any reports from users of having downloaded the fake apps.

Contact tracing apps like TraceTogether, which identify people in close contact with a coronavirus patient via wireless Bluetooth technology, are useful when those infected cannot recall whom they had been in close proximity with for an extended period.

In a blog post on Wednesday, US-based cyber security firm Anomali said it has discovered at least 12 bogus contact tracing apps that have been designed to fool users, which hackers are using to spread malicious software and steal data.

Two of the 12 fake apps that Anomali found mimicked TraceTogether. Once installed on a device, the apps are designed to download and install malware and steal banking credentials and personal data.

Anomali added that these apps do not appear to be distributed through official channels like the Google Play Store or Apple's App Store, but rather, are being spread through other apps, third-party stores and websites.

SingCert urged users to download apps from official sources and verify that the developer information on the application listing matches official ones. Users should also be wary of applications that ask for unnecessary permissions.

"Look through the application's reviews, and be wary of poorly reviewed applications. Multiple poor reviews or comments may be an indication of issues with the application," SingCert said.

Users who have downloaded applications from unofficial sources should delete these apps, and run an antivirus scan on their devices. In cases where users cannot delete the application, they could do a factory reset on their device to remove the potentially dangerous app.

Read the original article and additional information at Cyware Social