{
	"id": "f2c40c07-fa3f-4e4b-b44a-2c8bf4460714",
	"created_at": "2026-04-06T00:20:11.627036Z",
	"updated_at": "2026-04-10T03:30:33.600813Z",
	"deleted_at": null,
	"sha1_hash": "030f1b9f7d70a843f6f60fdc435449d3c7b0e241",
	"title": "Android App Offers Coronavirus Mask, Delivers Trojan | blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1114706,
	"plain_text": "Android App Offers Coronavirus Mask, Delivers Trojan | blog\r\nBy Shivang Desai\r\nPublished: 2020-03-19 · Archived: 2026-04-05 20:47:11 UTC\r\nAmidst the coronavirus/COVID-19 pandemic, attackers continue to seek ways to exploit the public's fears to\r\nvictimize online users. \r\nThreatLabZ researchers recently came across a domain named coronavirusapp[.]site that was serving Android\r\nransomware. The app claims it can notify the user when anyone infected with coronavirus is nearby. Another\r\ndomain, hxxp://coronasafetymask.tk, asks users to install an APK to receive a \"Corona Safety Mask.\"  \r\n \r\nFig. 1. Webpage (downloader)\r\nOverview\r\nApp Name: Corona Safety Mask\r\nhttps://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan\r\nPage 1 of 5\n\nPackage: com.coronasafetymask.app\r\nHash: d7d43c0bf6d4828f1545017f34b5b54c\r\nVirus Total: 0/64\r\nTechnical Description\r\nOnce the user installs the app, it asks for permission to read contacts and send SMS messages. This is a huge red\r\nflag for the user to immediately discard the app. \r\nThe screenshot below shows this functionality:\r\nFig. 2: Initial activities\r\nIf the app is installed, it asks the user to click a button that leads to an online portal responsible for selling masks\r\nonline. There's the threat that the malware could ask the victim to pay online for the mask and steal the credit card\r\ninformation, but we did not find any such functionality in the app. We believe the app is in its early stages and this\r\n(and other) functionalities will be added as the app is updated.\r\nThe app simply opens an online portal in the default browser. \r\nhttps://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan\r\nPage 2 of 5\n\nFig. 3: URL\r\nAlong with all the above activities, an important functionality takes place behind the scenes. The app checks\r\nwhether it has already sent SMS messages or not. If it has not, it collects all the victim's contacts, as shown in\r\nscreenshot below : \r\nFig. 4: Initial checks before sending SMS\r\nOnce all the contacts are collected by the app, it sends SMS messages to all the contacts with a download link in\r\nan effort to spread itself to more users. The screenshot below shows sendTextMessage, an Android function to\r\nsend out SMS messages to all contacts. \r\nFig. 5: SMS sending functionality\r\nhttps://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan\r\nPage 3 of 5\n\nWe allowed the app to dynamically run in a controlled environment. The screenshot below shows how the\r\nreceived SMS message appears. It states: \r\n\"Get safety from corona virus by using Face mask, click on this link download the app and order your\r\nown face mask - hxxp://coronasafetymask.tk\"\r\nFig. 6: SMS received with download link\r\nBy sending itself to a victim's contact list, this malicious app aims to spread itself over and over (which can result\r\nin hefty usage charges for victims).\r\nConclusion\r\nAs we mentioned in a previous post, attackers are going to take every opportunity to victimize users. During the\r\ncoronavirus outbreak, it's important to protect yourself online just as it's important to protect your health.\r\nThe precautions you take online have been covered extensively; even so, we believe this information bears\r\nrepeating. Please follow these basic precautions during the current crisis—and at all times: \r\nhttps://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan\r\nPage 4 of 5\n\nInstall apps only from official stores, such as Google Play.\r\nNever click on unknown links received through ads, SMS messages, emails, or the like.\r\nNever trust apps with claims that seem unrealistic. (There is no technology yet invented that can inform a\r\nuser whether a coronavirus patient is nearby.)\r\nAlways keep the \"Unknown Sources\" option disabled in the Android device. This disallows apps to be\r\ninstalled on your device from unknown sources. \r\nSource: https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan\r\nhttps://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan"
	],
	"report_names": [
		"new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434811,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/030f1b9f7d70a843f6f60fdc435449d3c7b0e241.pdf",
		"text": "https://archive.orkl.eu/030f1b9f7d70a843f6f60fdc435449d3c7b0e241.txt",
		"img": "https://archive.orkl.eu/030f1b9f7d70a843f6f60fdc435449d3c7b0e241.jpg"
	}
}