While people using the app thought they were keeping tabs on the pandemic, the malicious app was actually tracking them: getting access to the device's photos, videos, location and camera. The camera access would allow the attackers to take photos and record videos and audio, Lookout said.
"This surveillance campaign highlights how in times of crisis, our innate need to seek out information can be used against us for malicious ends," Lookout said in a blog post. The security company warned against downloading apps from a third party because of the security concerns.
Lookout's findings aren't the only case in which apps are using coronavirus anxiety to surveil people en masse. CNET sister site ZDNet reported that the Iranian government's official coronavirus tracking app raised privacy concerns after users accused it of collecting phone numbers and real-time location data.
The coronavirus outbreak has spread at an alarming rate, forcing cities to shut down and major events to be canceled in an attempt to slow the rate of new cases. Fear over the outbreak has caused people to panic buy and spread false information. Hackers have always exploited current events, like tax season or award shows, to trick victims into cyberattacks they normally would not fall for.
The coronavirus outbreak is no different. Security researchers have seen an uptick in hacking attempts amid the pandemic, and as in the case of the malicious apps, the attacks have gone beyond well-disguised emails.
The Lookout researchers who found the fake coronavirus tracker app linked it to SpyMax, a low-cost commercial surveillanceware tool that people can buy online. The tool is implemented in apps and can then remotely activate cameras and microphones, as well as read call logs, text messages and locations.
"We appreciate Lookout's work as a member of the App Defense Alliance. These apps are not available on the Google Play Store," a Google spokesperson said in a statement.
Lookout said the spying app it discovered wasn't alone, and is tied to a larger surveillance campaign targeting people in Libya. While the campaign has had many different disguises since April 2019, its two latest spying apps are coronavirus-related, Lookout said.
Watch this: Pandemic: Here's what's changed about the coronavirus
35 things to buy if you're stuck at home thanks to coronavirus (besides toilet paper)
The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.