{
	"id": "5067dc40-7f38-4f82-bca3-1c902a4d4d85",
	"created_at": "2026-04-06T00:10:22.711314Z",
	"updated_at": "2026-04-10T13:11:19.098999Z",
	"deleted_at": null,
	"sha1_hash": "60ce4d46f2101a74cc946936b8a02940a28e6779",
	"title": "Coronavirus Update App Leads to Project Spy Android and iOS Spyware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69796,
	"plain_text": "Coronavirus Update App Leads to Project Spy Android and iOS\r\nSpyware\r\nBy Tony Bao, Junzhi Lu ( words)\r\nPublished: 2020-04-14 · Archived: 2026-04-05 23:01:12 UTC\r\nWe discovered a potential cyberespionage campaign, which we have named Project Spy, that infects Android and\r\niOS devices with spyware (detected by Trend Micro as AndroidOS_ProjectSpy.HRX and IOS_ProjectSpy.A,\r\nrespectively). Project Spy uses the ongoing coronavirus pandemic as a lure, posing as an app called Coronavirus\r\nUpdates. We also found similarities in two older samples disguised as a Google service and, subsequently, as a\r\nmusic app after further investigation. However, we have noted a significantly small number of downloads of the\r\napp in Pakistan, India, Afghanistan, Bangladesh, Iran, Saudi Arabia, Austria, Romania, Grenada, and Russia.\r\nProject Spy routine\r\nAt the end of March 2020, we came across an app masquerading as a coronavirus update app, which we named\r\nProject Spy based on the login page of its backend server.\r\nCoronavirus_Update_App_ProjectSpy_Fig1open on a new tabFigure 1. Project Spy as an app called Corona\r\nUpdates\r\nCoronavirus_Update_App_ProjectSpy_Fig2open on a new tab\r\nFigure 2. The Project Spy server login page. The address and login credentials to the server are found in the app’s\r\ncode.\r\nThis app carries a number of the capabilities:\r\nUpload GSM, WhatsApp, Telegram, Facebook, and Threema messages\r\nUpload voice notes, contacts stored, accounts, call logs, location information, and images\r\nUpload the expanded list of collected device information (e.g., IMEI, product, board, manufacturer, tag,\r\nhost, Android version, application version, name, model brand, user, serial, hardware, bootloader, and\r\ndevice ID)\r\nUpload SIM information (e.g., IMSI, operator code, country, MCC-mobile country, SIM serial, operator\r\nname, and mobile number)\r\nUpload wifi information (e.g., SSID, wifi speed, and MAC address)\r\nUpload other information (e.g., display, date, time, fingerprint, created at, and updated at)\r\nThe app is capable of stealing messages from popular messaging apps by abusing the notification permissions to\r\nread the notification content and saving it to the database. It requests permission to access the additional storage.\r\nCoronavirus_Update_App_ProjectSpy_Fig3open on a new tab\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/\r\nPage 1 of 4\n\nFigure 3. The app intercepts received broadcasts and saves notification content in a database\r\nCoronavirus_Update_App_ProjectSpy_Fig4open on a new tab\r\nFigure 4. Abusing notification permissions to read the notification content\r\nProject Spy’s earlier versions\r\nSearching for the domain in our sample database, we found that the coronavirus update app appears to be the latest\r\nversion of another sample that we detected in May 2019.\r\nCoronavirus_Update_App_ProjectSpy_Fig5open on a new tab\r\nFigure 5. The May 2019 (first) version contains the same domain as the March 2020 (third) version\r\nThe first version of Project Spy (detected by Trend Micro as AndroidOS_SpyAgent.HRXB) had the following\r\ncapabilities:\r\nCollect device and system information (i.e., IMEI, device ID, manufacturer, model and phone number),\r\nlocation information, contacts stored, and call logs\r\nCollect and send SMS\r\nTake pictures via the camera\r\nUpload recorded MP4 files\r\nMonitor calls\r\nSearching further, we also found another sample that could be the second version of Project Spy. This version\r\nappeared as Wabi Music, and copied a popular video-sharing social networking service as its backend login page.\r\nIn this second version, the developer’s name listed was “concipit1248” in Google Play, and may have been active\r\nbetween May 2019 to February 2020. This app appears to have become unavailable on Google Play in March\r\n2020.\r\nCoronavirus_Update_App_ProjectSpy_Fig6open on a new tab\r\nFigure 6. Project Spy’s second version (left) and login page (right)\r\nThe second Project Spy version has similar capabilities to the first version, with the addition of the following:\r\nStealing notification messages sent from WhatsApp, Facebook, and Telegram\r\nAbandoning the FTP mode of uploading the recorded images\r\nAside from changing the app’s supposed function and look, the second and third versions’ codes had little\r\ndifferences.\r\nPotentially malicious iOS connection\r\nUsing the codes and “Concipit1248” to check for more versions, we found two other apps in the App Store.\r\nCoronavirus_Update_App_ProjectSpy_Fig7open on a new tab\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/\r\nPage 2 of 4\n\nFigure 7. Apps available in the App Store, the developer is “Concipit Shop”\r\nFurther analysis of the iOS app “Concipit1248” showed that the server used, spy[.]cashnow[.]ee, is the same one\r\nused in the Android version of Project Spy.\r\nCoronavirus_Update_App_ProjectSpy_Fig8open on a new tab\r\nFigure 8. Concipit1248 iOS app’s code showing the server address\r\nHowever, although the “Concipit1248” app requested permissions to open the device camera and read photos, the\r\ncode only can upload a self-contained PNG file to a remote sever. This may imply the “Concipit1248” app is still\r\nincubating.\r\nCoronavirus_Update_App_ProjectSpy_Fig9open on a new tab\r\nFigure 9. iOS app Concipit1248’s permissions\r\nThe other iOS app “Concipit Shop” from the same developer appeared normal and was last updated on November\r\n2019. Apple has confirmed that the iOS apps are not functioning based on analysis of the codes, and stated that the\r\nsandbox is able to detect and block these malicious behaviors.\r\nConclusion\r\nThe “Corona Updates” app had relatively low downloads in Pakistan, India, Afghanistan, Bangladesh, Iran, Saudi\r\nArabia, Austria, Romania, Grenada, and Russia.  Perhaps the app’s false capabilities also fueled the low number of\r\ndownloads. It also appears the apps may still be in development or incubation, maybe waiting for a “right time” to\r\ninject the malicious codes. It’s also possible that the apps are being used to test other possible techniques. A\r\npossible indication for timing might be when the app reaches a specific number of downloads or infected devices.\r\nThe coding style suggests that the cybercriminals behind this campaign are amateurs. The incomplete iOS codes\r\nused in this campaign may have been bought while other capabilities appear to have been added. This may also\r\nexplain the timing in between the apps becoming fully functional and “incubation.” As this is a group we have not\r\nobserved before, we will continue monitoring this campaign for further developments.\r\nUsers are cautioned to research and check reviews before they download apps. Observe and look at the app’s\r\ndisplay and text, stated functions, reviews from other users, and requested permissions before downloading. Make\r\nsure that all other apps installed and the device operating systems are updated to the latest version.\r\nTrend Micro solutions\r\nUsers can install security solutions, such as the Trend Micro™ Mobile Security for iOSopen on a new\r\ntab and Trend Micro™ Mobile Security for Android™open on a new tab (also available on Google Playopen on a\r\nnew tab) solutions, that can block malicious apps. End users can also benefit from their multilayered security\r\ncapabilities that secure the device owner’s data and privacy, and features that protect them from ransomware,\r\nfraudulent websites, spyware, and identity theft.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/\r\nPage 3 of 4\n\nFor organizations, the Trend Micro™ Mobile Security for Enterpriseopen on a new tab suite provides device,\r\ncompliance and application management, data protection, and configuration provisioning. The suite also protects\r\ndevices from attacks that exploit vulnerabilities, prevents unauthorized access to apps and detects and blocks\r\nmalware. Trend Micro’s Mobile App Reputation Serviceopen on a new tab (MARS) covers Android and iOS\r\nthreats using leading sandbox and machine learning technologies to protect users against malware, zero-day and\r\nknown exploits, privacy leaks, and application vulnerability.\r\nIndicators of Compromise (IoCs)\r\nSHA256 Detection\r\ne394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe AndroidOS_SpyAgent.HRXB\r\ne8d4713e43241ab09d40c2ae8814302f77de76650ccf3e7db83b3ac8ad41f9fa AndroidOS_ProjectSpy.HRX\r\n29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d AndroidOS_ProjectSpy.HRX\r\n3a15e7b8f4e35e006329811a6a2bf291d449884a120332f24c7e3ca58d0fbbdb IOS_ProjectSpy.A\r\nURLs\r\ncashnow[.]ee            Backend server\r\nftp[.]XXXX[.]com         Backend server\r\nspy[.]cashnow[.]ee        Backend server\r\nxyz[.]cashnow[.]ee        Backend server\r\nMITRE ATT\u0026CK Framework\r\nAndroid\r\nCoronavirus_Update_App_ProjectSpy_MITRE_Androidopen on a new tab\r\niOS\r\nCoronavirus_Update_App_ProjectSpy_MITRE_iOSopen on a new tab\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
	],
	"report_names": [
		"coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434222,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60ce4d46f2101a74cc946936b8a02940a28e6779.pdf",
		"text": "https://archive.orkl.eu/60ce4d46f2101a74cc946936b8a02940a28e6779.txt",
		"img": "https://archive.orkl.eu/60ce4d46f2101a74cc946936b8a02940a28e6779.jpg"
	}
}