CovidLock Android Ransomware

CovidLock Ransomware: Android Malware Exploiting the COVID-19 Pandemic

CovidLock ransomware surfaced in early 2020, leveraging the global COVID-19 pandemic to trick Android users into downloading a malicious coronavirus tracking app. Once installed, CovidLock locked the victim’s device, changing the screen lock PIN and demanding a ransom payment in Bitcoin to restore access.

Introduction to CovidLock Ransomware

CovidLock represents a case of social engineering at its worst—exploiting a global health crisis to spread malware. Disguised as a coronavirus outbreak tracker, the malicious app installed ransomware that locked Android devices and demanded a $100 Bitcoin ransom, threatening to erase data and leak social media accounts if payment was not made.

---

1. How CovidLock Ransomware Worked

Infection Mechanism:

• CovidLock was distributed through malicious websites, offering a fake “COVID-19 Tracker” app that promised real-time updates on virus spread.
• It was never available through official app stores like Google Play, instead spreading via social engineering and phishing campaigns.
• Once installed, the app requested device administrator privileges under the guise of legitimate permissions.

Locking Process and Ransom Demand:

• After installation, CovidLock changed the device’s screen lock PIN, effectively locking the user out.
• A ransom note was displayed, demanding $100 in Bitcoin to unlock the device within 48 hours.
• The message also threatened to erase device data and leak social media accounts if the ransom wasn’t paid.

---

2. History and Notable Campaigns

Origin and Discovery:

• CovidLock was first reported by DomainTools researchers in March 2020 during the early months of the global pandemic.
• It emerged at a time when demand for COVID-19 information was extremely high, preying on public fear and urgency.

Notable Campaigns:

• CovidLock was spread via malicious websites designed to look like legitimate coronavirus information portals.
• The malware was quickly analyzed, and security researchers cracked the encryption and released the unlocking key to help victims regain access without paying.

---

3. Targets and Impact

Targeted Victims and Sectors:

• CovidLock primarily targeted individual Android users, especially those seeking reliable COVID-19 updates.
• Victims were tricked into installing the app from unofficial websites and third-party app stores.

Consequences:

• Victims were locked out of their Android devices and threatened with data destruction and privacy violations.
• Although the ransom demanded was relatively low ($100), the threat of data loss created urgency for payment.
• The attack highlighted the rise in pandemic-related cyber threats and the need for better mobile security awareness.

---

4. Technical Details

Payload Capabilities:

• PIN Locking: Changed the lock screen PIN code to prevent access.
• Device Administrator Access: Requested and used admin privileges to prevent uninstallation.
• Threat Messaging: Claimed it would delete all data and leak personal information if ransom demands weren’t met.
• The app was designed to appear legitimate, displaying fake COVID-19 tracking features in its interface before locking the device.

Evasion Techniques:

• Distributed outside of Google Play, bypassing standard Google security checks.
• Requested device administrator permissions under legitimate pretexts.
• Hid malicious activity until after installation to avoid detection.

---

5. Preventing CovidLock Ransomware Infections

Best Practices:

• Only download Android apps from the Google Play Store or other trusted sources.
• Be skeptical of apps requesting device administrator access, especially when they don’t need it for their core functionality.
• Keep Android devices updated with the latest security patches.
• Use mobile security software capable of detecting ransomware and malicious apps.
• Stay informed about cybersecurity threats, particularly during times of crisis when scams increase.

Recommended Security Tools:

• Mobile antivirus apps such as Malwarebytes for Android, Bitdefender Mobile Security, and Kaspersky Mobile Antivirus.
• Google Play Protect, enabled and actively scanning for threats.
• MDM (Mobile Device Management) tools for organizations managing large fleets of mobile devices.

---

6. Detecting and Removing CovidLock

Indicators of Compromise (IoCs):

• Device becomes locked immediately after installing a COVID-19 tracking app from an unverified source.
• Appearance of a ransom message demanding Bitcoin payment with threats to wipe data.
• Inability to access device settings, applications, or home screen.

Removal Steps:

1. Use Safe Mode to disable third-party apps, if possible.
2. Attempt to revoke device administrator privileges through Settings > Security > Device Administrators.
3. If locked, users can use the publicly released decryption key to unlock the device (originally published by security researchers).
4. If all else fails, perform a factory reset (note: this erases all data on the device).
5. Restore from backups after confirming the malware is removed.

Professional Help:
For persistent infections, contact mobile device specialists or cybersecurity experts for assistance.

---

7. Response to a CovidLock Attack

Immediate Steps:

• Do not pay the ransom; researchers released the unlock key for victims of CovidLock.
• Disconnect the device from Wi-Fi and mobile networks to prevent further data exfiltration (if any).
• Restore device access using the available unlock solution or perform a factory reset.

---

8. Legal and Ethical Implications

Legal Considerations:

• CovidLock’s use of fear-mongering tactics and data privacy threats constitutes cyber extortion and fraud.
• Victims may need to notify authorities or follow data breach notification laws, depending on the region.

Ethical Considerations:

• Exploiting a global health crisis for criminal gain raises serious ethical concerns about cybercrime during emergencies.
• Encourages ethical behavior in reporting and disclosing cyberattacks to prevent further victimization.

---

9. Resources and References

• DomainTools Analysis Report on CovidLock
• ESET Mobile Security Blog on Android ransomware
• CISA Warnings on pandemic-related cyber threats
• Google Play Protect guidelines for safe app use

---

10. FAQs about CovidLock Ransomware

Q: What is CovidLock ransomware?
CovidLock is an Android ransomware that locked users out of their devices by resetting the PIN code, demanding a ransom for unlocking access.

Q: How did CovidLock spread?
It spread through fake COVID-19 tracking apps hosted on malicious websites and distributed via phishing campaigns.

Q: Can CovidLock be removed without paying the ransom?
Yes. Security researchers released a free decryption key and instructions to unlock devices infected with CovidLock without paying the ransom.

---

11. Conclusion

CovidLock ransomware highlights how cybercriminals exploit global events to spread malware and extort victims. It serves as a reminder to practice safe app installation habits, maintain mobile device security, and remain vigilant against social engineering attacks, especially during times of crisis.

 

 

« Back to the Virus Information Library

« Back to the Security Center