Fake Android coronavirus app reveals possible iPhone spyware

A spyware alert displaying on a smartphone.
(Image credit: David MG/Shutterstock)

A new spyware campaign that uses both cryptocurrency and the coronavirus as lures may be getting set to hit iPhone and Android users, according to a new report from Trend Micro

Tom's Guide did some further digging into the domain names and companies mentioned in the Trend Micro report, and found information that blurs the line between legitimate online companies and possible criminal activity.

The Android spyware apps can steal Facebook messages, WhatsApp messages, text messages, contact lists, call logs, photos, and location and device information from infected phones. 

The iOS apps' information-stealing capabilities are fewer, but Trend Micro thinks that "the apps may still be in development or incubation, maybe waiting for a 'right time' to inject the malicious codes." 

Two apps of these apps are still available in both the Google Play and iOS app stores, but Trend Micro noted that the apparent malware's "coding style suggests that the cybercriminals behind this campaign are amateurs."

If you're an Android user, you'll want to protect yourself with one of the best Android antivirus apps. There's no such antivirus software available for iPhones, but Apple told Trend Micro that the iOS "sandbox is able to detect and block these malicious behaviors."

An apparently legitimate company

The apps seem to originate from a company called Concipit 1248, whose website proclaims it as the "1st Cashback Platform on Blockchain". The company offers a white paper explaining its business model, and its executives seem to be a mix of Pakistani and Italian citizens. Concipit 1248 appears to be based in Estonia, and its website looks totally legit.

But Concipit 1248 is associated with a website called Cashnow.ee. (The best antivirus software will block access to it.) 

That in turn has a subdomain called "spy.cashnow.ee" that looks like a total cybercrime site, including a flashy background animation that features the V for Vendetta mask and refers to "Project Spy 201" and "Target Mr. Anonymous." 

Screen grab of Spy Cashnow website.

A screen grab of the website at spy.cashnow.ee. (Image credit: CashNow OU)

As a result, Trend Micro calls this whole operation Project Spy.

Concipit 1248 currently has two apps in both the Google Play and iOS app stores, called Concipit 1248 and Concipit Shop. 

The first has something to do with the Ethereum cryptocurrency, while the second seems to be a cash-back platform for online shoppers. Both apps' self-descriptions are word salads of trendy tech-business buzzwords. 

Trend Micro examined the iOS version of the Concipit 1248 app and found that it communicates with the "spyware.cashnow.ee" server. It's not clear if Trend Micro examined, or was aware of, the Android versions of those apps.

Unraveling a thread

The unraveling of this thread of threats began last month when Trend Micro looked at a bogus Android app called Coronavirus Updates. Tom's Guide couldn't find Coronavirus Updates in the official Google Play store, but Trend Micro's report implied the app had been there at one point.

Coronavirus Updates steals all sorts of information from Android phones, as noted above. Like the iOS version of the Concipit 1248 app, it also dials up to and logs into the aforementioned "spy.cashnow.ee" server.

Trend Micro found that the "spyware.cashnow.ee" had also been used by earlier Android spyware apps, including a music-sharing app that appeared to be a fake version of TikTok. That app is no longer available, but its developer was listed in Google Play as Concipit 1248.

Overlapping ownership

Registry information for both the "concipit1248.com" and "cashnow.ee" domains is hidden behind privacy proxies, but Tom's Guide found a contact name and email address for "cashnow.ee" listed on the Estonian domain registrar. ("EE" is the Estonian top-level domain suffix.) 

The contact name for "cashnow.ee" matches that of the founder of Concipit 1248, as listed in the firm's white paper, and also matches that of a 38-year-old man who is part of the management team of an Estonian firm called CashNow.

The contact email address clearly refers to Concipit 1248. Tom's Guide sent it a message seeking comment on the Trend Micro report, and we will update this story when we receive a reply.

Trend Micro noted that, "as this is a group we have not observed before, we will continue monitoring this campaign for further developments."

Tom's Guide has to stress that these various companies and websites could be completely legitimate and not involved in anything illegal. Even the "spyware.cashnow.ee" website could just be an ironic joke. But there's a lot of circumstantial evidence to indicate otherwise.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.