As Libya continues to struggle since the beginning of the revolution back in 2011 and the capital remains under attack by the notorious war lord Khalifa Haftar and militias loyal to him, another form of attack is taking place on Libyan citizens, however, it is a more silent and deadly form of assault.
Around the world, the ominous Coronavirus pandemic is causing panic and distress as it travels throughout the globe, ignoring all borders, pushing governments and businesses to quickly turn to email and texting in order to allay the fears of citizens and customers.
As is normal, the darker side of the web shows its criminal side, with cyber attackers taking full advantage of peoples’ concerns and desire to arm themselves with information about the spread of COVID 19.
A security company named ‘Lookout’, whose researchers are presently investigating the case of trojanized Android applications being used in Libya, to spy on its unsuspecting users and gather information, stated through one of their research engineers, Kristin Del Rosso, that of all the many and various mobile malware presently in use, this particular one is the most invasive she had seen to date.
The application is called ‘Corona Live 1.1.’ and lulls the user into a false sense of security reassuring them that no special access is required, however, as the individual continues with the application, access to device location, media files and photos is subtly requested.
This Corona Live 1.1 app is part of a SpyMax example, which is a trojanized version of the ‘Corona live’ app used by Johns Hopkins University ‘Coronavirus tracker’ which covers the entire range of infection rates, number of deaths and geographical spread of the pandemic etc.
This app, which is not available for purchase from Google Play Store, is openly for sale from SpyNote and Mobihok for as little as $75 for a single license, up to $15,000 for a more ‘in-depth’ version, also offering technical support at checkout. These companies make it very simple for any individual or group to purchase these apps and even assist them to customize and manage the spy tools.
When the unsuspecting user is reeled in, it allows access to the perpetrator, of remote activation of personal camera, microphone and all private files on the user’s device.
There are many and various spyware applications to note, such as SpyMax, SpyNote, SonicSpy, SandroRat and Mobihok which are all generic, however the latest three COVID-19 related ones are titled ‘Libya Mobile Lookup’ and belong to some of the earliest samples rolled out in this very significant surveillance effort which gives insight into the demographics of those targeted.
These are some of the applications falsely representing Coronavirus information applications and interestingly, one of them is the Libya Mobile Lookup app, which permits the user to reveal the name of the caller from a Libyan mobile phone.
More interestingly however, is the fact that one of the operators seems to be a Libyan Telecom and Technology company and internet provider, whose IP address shows they are possibly part of a group used for DSL connections.
This illegal operation is more than likely doing so from within Libya, either using their own equipment or that of a host entity, which they have infiltrated for their own needs as all targets would appear to be Libyan citizens, in an effort to gather data and information, including location of the user.
Lookout researcher, Del Rossa added that although there is no direct evidence showing that the malware is being usurped by the state or officialdom, it has been proven that these methods have been used by Middle Eastern states.
It is safe to say, that these Arab states have the necessary funding to develop their own campaigns openly as a starting point, however, it has been noted that the use of ‘under-the-counter’ commercial malware has evolved from these starting points.
The warning is to avoid downloading any app from a third-party app store and to ‘not’ click suspicious links for information regarding the Coronavirus or indeed apps spread through SMS.
There will always be those waiting on the sidelines to take advantage of any ‘panic’ situation such as the fear raised over this latest Coronavirus pandemic, however, there are two kinds of manipulators, the first, committing extortion through accessing personal data for ransom, but the second, far more long term and intrusive, to gather intelligence and information on political players which is potentially very dangerous and corrosive to the Libyan nation in the present situation.