Trend Micro has now revealed the discovery of multiple apps, including one called "Coronavirus Updates" that are really malware released by bad actors to spy on mobile users. Related malware was found on both iOS and Android in the respective official app stores. The firm has collectively dubbed the malware "Project Spy" and reports that it was potentially a part of a larger cyberespionage campaign.

As noted above, the first of the new malware to be discovered was built to take advantage of panic amidst the ongoing COVID-19 panic. Security researchers at Trend Micro also discovered what they believe is a second iteration of the app called Wabi Music. Two other apps were discovered on iOS.

The team was able to discover related apps by searching for the named developer behind them, Concipit Shop. iOS users were kept safe by blocking mechanisms in the OS. Those apps were titled, Concipit Shop and Concipit1248.


Coronavirus Updates malware and the other spyware were stealing a huge amount of data

Project Spy appears to have been on the Google Play Store from May 2019 to February 2020. It is no longer available as of March. Both versions of Project Spy were potentially capable of stealing a significant amount of data.

The first variant, from May, was able to collect device and system information. That includes identifying markers such as IMEI, device ID, manufacturer and model, as well as phone number, location data, contacts, and call logs. Beyond that, it was able to collect and send SMS messages and monitor calls. The code also allowed Project Spy to take photos with the camera and upload recorded MP4 files.

The second version also built significantly over the capabilities of the first. To begin with, it bypassed the FTP mode for uploading recorded images. But it also gained access to notifications in order to steal data from those. That meant it was able to steal messages from WhatsApp, Facebook, Telegram, and others.


Security solutions such as those from Trend Micro can mitigate damage from these apps

Trend Micro does offer some consolation when it comes to overall activity from Project Spy, however. First, it appears to have mostly targeted Pakistan, India, Afghanistan, Bangladesh, Iran, Saudi Arabia, Austria, Romania, Grenada, and Russia. But it also appears Project Spy apps were only downloaded by a negligible number of users. That comes down to the fact that neither app really did much, leading to negative reviews and low downloads.

More importantly, the code appears to have been cobbled together by 'amateurs' instead of professionals. One key indicator of that is that the login credentials for the associated server were held in the code itself. In some other cases, the code appeared incomplete or still incubating. So it wasn't fully functional just yet.

The group behind the attacks, for all intents and purposes, appears to be relatively new, Trend Micro notes.


Finally, the company indicates that its capabilities aren't very well hidden. That means that security solutions and apps can be used to mitigate the potential damage from the currently known version of Project Spy.