The fake versions are able to make phone calls, record videos and calls
The spyware also download the original Aarogya Setu app to be less susceptible
Recently, the govt made Aarogya Setu app open source for experts to find vulnerabilities
As privacy concerns around Indian government’s Aarogya Setu app ease up with the app being made open source, cybersecurity researchers have found fake apps masquerading as the contact tracing app and siphoning off user data.
Cybersecurity firm SonicWall Labs Threats found that malicious fakes of the Aarogya Setu app which were spyware in disguise. These apps were capable of making phone calls to premium numbers, recording phone calls, sending SMSes, taking photographs and also recording videos.
“As the Aarogya Setu App gained popularity in India, it became a target for malware creators. With increasing cyber threats it appears that cybercriminals are working overtime to create dissonance among mass app users,” Debasish Mukherjee, VP of regional sales APAC at SonicWall, said.
The firm highlighted that even uninstalling the app through the regular methods only removes the app in the front, whereas the spyware would still be present on the device. The users can only remove the spyware by uninstalling the apps through settings.
The research team also observed that some of these malicious apps are piggybacking on the legitimate Aarogya Setu app in the resources folder, which is used to store values for details and permission of apps in the Android operating system. Such malicious apps also download the original version of the app in the background to fool the user into believing they’re using a legitimate app. However, the app continues to use its spyware in the background.
A previously discovered fake Aarogya Setu “add-on” app also sought device admin privileges and permissions to install other apps once downloaded. The app, too, installs the original Aarogya Setu app from the resource folder to deceive users.
The firm also highlighted that it is difficult to highlight malicious apps based on the icons. In most cases, the common element was the range of spyware capabilities, it added.
Meanwhile, the real Aarogya Setu app had failed the MIT Technology Review test of contact tracing app, getting one out of five stars due to some issues related to data collection and privacy. However, since then the app has been made open source with the government opening up the code for examination.
On May 26, the government made the Android version of the Aarogya Setu open source and plans to do the same with iOS and KaiOS versions. Now, the government is allowing developers and cybersecurity experts to find loopholes and vulnerabilities in the app.