A coronavirus app is collecting sensitive information from Iranian people, including real-time geo-location, reported Iranian researcher Nariman Gharib.
Coronavirus App Spying on Iranian People
The researcher believes that the app was released by the Iranian Ministry of Health via SMS, encouraging users to install the app and perform a test to check for symptoms of the coronavirus. This information comes from a series of tweets shared by the researcher.
The good news is that Google has now removed the app from Play Store, as it was in violation with its terms and conditions.
An employee with Iran’s Health Ministry claimed that the app was indeed developed by the Ministry but wasn’t authorized by it. Gharib says that the Ministry published a clarification stating that “no-one is allowed to obtain users’ personal information”.
It is noteworthy that Avast researcher Nikolaos Chrysaidos also analyzed the app, and confirmed Gharib’s findings on the excessive data collection:
The app first requires users to register using their telephone number. The app requests permission to access the user’s exact location, which makes sense as a user’s location can be used to recommend a hospital closest to the user, in case the user is infected with the virus. However, the app also requests permission to access ACTIVITY_RECOGNITION, which can be used to reveal if the device user is sitting, walking, or running, a permission typically used by fitness applications to track sports activities.
There are clues in the code of the app that suggest it was developed by the same group that created Talagram and Hotgram. Both apps were developed for the Iranian government as an alternative to Telegram which was officially banned in the country. Both apps were banned by Google Play Store.
As for the intrusive coronavirus app, it could also send information entered by the user such as mobile phone number, gender, name, height, and weight, to the developers’ server.
Android apps are widely known to be acquiring user data without the users being aware about the process. According to a 2019 study called 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System, a large part part of software installed on devices running Google’s operating system can harvest sensitive data without notifying or asking explicitly the users.
The researchers performed both static and dynamic analysis of apps obtained from the Google Play repository. Some of the personal data the researchers discovered to be hijacked includes the following:
- IMEI — This is done by accessing the phone state and reading the IMEI of the mobile device.
- Device MAC Address — By accessing the network state the device’s MAC address can be acquired.
- User Email Address — The email address of the victim users can be acquired by reading the account data of the Google device that it is installed on.
- Phone Number — The phone number of the installed device is acquired from the phone state.
- SIM ID — The phone number of the installed device is acquired from the phone state.
- Router MAC Address — By accessing the Wi-Fi state information about the MAC address of the network’s router can be read.
- Router SSID — By accessing the Wi-Fi state information about the SSID of the network’s router can be read.
- GPS Location — By reading the “fine location” values the GPS coordinates of the mobile device can be acquired.