According to a recent report, a new spyware campaign is underfoot which lures people through a Coronavirus and cryptocurrency connection. It typically comes in the form of Android and iPhone spyware. It masks its activities by using a combination of legitimate online companies as fronts for what appears to be a criminal activity organization.
Once a device is infected with these Android and iPhone spyware apps, they work by stealing text messages. This includes WhatsApp messages, Facebook messages, location information, device data, photos, call logs and even contact lists.
For now, these Android and iPhone spyware apps appear to be in an incubation stage. This is because they’re only deploying fewer data-stealing applications. But there’s reason to believe that this might be a stealth attack with a plan to inject malicious codes later.
Unfortunately, these apps seem to have already infiltrated both iOS and Google Play Stores. They feature unique coding systems that shows an amateur streak in the cybercriminals instigating the attacks.
As an Android user, it’s important to be aware of such attacks. This is especially during a time when most people spend the majority of their time on smartphones. The good news is there’s Android-based antivirus software. It’s designed to protect you from just such an attack. As for iOS users, Apple’s sandbox feature can identify, isolate and block this spyware on sight.
A Company That Seems Legitimate
Concipit 1248 seems to be the company behind these apps. Their website claims that they’re the best cashback platform on Blockchain. There’s even a white paper courtesy of the company showing off their business model. The leadership is made up of Italian and Pakistani citizens. The company itself is presumably based on Estonia according to the legitimate-looking website.
Under Cashcow is a subdomain known as “spy.cashcow.ee” which looks as sketchy as it sounds. It comes complete with a flashy background, references to “Target Mr. Anonymous” and “Project Spy 201”, as well as a V for Vendetta mask background.
If you look at the iOS and Google Play Store, you’ll find two apps from Concipit 1248 called Concipit Shop and Concipit 1248.
One of these is somehow related to the Ethereum cryptocurrency while the other appears to be a cash-back platform. Both are described in terms of popular tech buzzwords that give the intention of legitimacy to the untrained eye.
According to Trend Micro, a test done on the Concipit 1248 app revealed links to the “spyware.cashnow.ee” server. We’re not sure if Trend Now was or is aware of the Android iPhone spyware behind them.
Attention: Read before you continue
Governments and ISPs across the world monitor their users online activities. If found streaming or browsing content on your Fire TV Stick, mobile or PC, you could get into serious trouble. Currently, your IP is visible to everyone. We strongly recommend you to get a good VPN and hide your identity so that your online experience doesn’t take a bad turn.
We use IPVanish which is the fastest and most secure VPN in the industry. It is very easy to install on any device including Amazon Fire TV Stick. Also, it comes with a 30-day money-back guarantee. If you don’t like their service, you can always ask for a refund. IPVanish also runs a limited time offer where you can save 57% on your VPN and they allow you to use one account on unlimited devices. This is a flash sale that can expire at any time.
How Was This Discovered
It all started last month when Trend Micro revealed the existence of Coronavirus Update, a bogus app that’s apparently meant to provide up to date updates on the coronavirus pandemic. We couldn’t find this app when looking for it on the Google Play Store even though the implication was that it would be there.
According to our current data, this Coronavirus Updates app, once installed, can steal all types of data from your Android device. This same app has been implicated in a fake Tik-Tok app scandal involving a music-sharing app that was later linked to “spyware.cashnow.ee”. It was listed on Google Play as Concipit 1248 but if you look now, you’ll no longer see it.
The “cashnow.ee” and “concipit 1248.com” Android and iPhone spyware domains seem to be hidden away behind privacy proxies, as well as an extra one on the Estonian domain registrar.
The “cashnow.ee” contact name is the same as the Concipit 1248 founder’s as can be seen on the white paper released by the firm and it’s the same as a management-level member of the CashNow firm, also from Estonia.
The email address even makes reference to Concipit 1248 and even though we’ve sent a message to it, we’ve yet to receive a reply.
If there’s one thing we can say about this group is that we’ve never seen them before. We are closely monitoring their movements. There’s a possibility that these are perfectly legal and legitimate websites and companies but the circumstantial evidence we have available says the opposite. Only time will tell which is which.
What do you think of these apps? Do you trust them? Drop us a comment below to let us know!