Contact Tracing Apps - Problem or Panacea

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.

As governments ease back from lockdown, countries around the world are seeing 2nd waves of COVID-19 infections, and until a vaccine is on the market for public consumption, contact tracing remains one of the key tools in the fight against the spread of COVID-19. With high penetration of smart phones globally, contact tracing via mobile technology appears to be the most expedient way to identify and notify people who may have come into contact with an infected person, with the aim of reducing infections in the population. However, the implementation has not been without its challenges. This issue of CyberSense looks at some of the issues plaguing contact tracing apps and how threat actors have taken advantage of such platforms for malicious purposes.

Different individuals all masked up, doing their own tasks with a bubble around them and all linked.

Fig 1. Source

TAKE-UP (RATES), THE CHALLENGE

Historically, contact tracing has been core to disease control efforts, having been used to contain Ebola, SARS, MERS, tuberculosis and other disease outbreaks. Research has shown that disease transmission can be reduced through the tracing and isolation of a sick person, as swiftly as possible. The effective use of technology combined with measures such as social distancing and quarantine, could drastically aid the contact tracing process^[1]. A recent study reported that highly effective contract tracing and case isolation was enough to control a new COVID-19 outbreak within 3 months, although the probability of control decreased when factors such as the time lag between symptom onset and contact tracing came into play^[2]. At the end of the day, the crucial factor undergirding the efficacy of contact tracing is the speed at which contact tracers are able to track and inform suspected cases.

In spite of the benefits of the technology, contact tracing apps have been fraught with adoption obstacles, fuelled primarily by privacy fears and aided by reports of app vulnerabilities that allow PII data to be misappropriated. A study by Oxford University reported that if around half the total population used a contact tracing app, alongside other interventions, it could potentially stop the epidemic^[3] – an ideal situation, but in reality, adoption rates are slow, especially in countries where the use of the app is voluntary^[4].

In Singapore’s case, the voluntary TraceTogether app has been downloaded by about 2.1 million people^[5] (as of 28 June 2020), approximately 35% of Singapore’s population, still falling short of the optimum number of users as app developers face the challenge of convincing the public that privacy fears are unfounded.. A Singapore-based polling group Blackbox Research reported that 45% of respondents were reluctant to download the app due to the worry that their movements were tracked by the government. Yet at the same time, a survey by the LKYSPP Institute of Policy Studies found that 59% of respondents agreed that the app should be compulsory for anyone entering “public places, like shopping centres and wet markets”^[6]. People clearly see the need for such technology but are unable to reconcile this with innate privacy concerns.

CASHING IN ON (COVID) CHAOS

The COVID-19 pandemic poses an prime opportunity for cybercrime, from the targeting of COVID-19 response organisations to preying on telecommuters and the rise of COVID-19 related phishing. While public health versus privacy debates over contact tracing apps remain a Pandora’s box of perennial issues that are not easily resolved, cybercriminals have not dallied in seizing the opportunity to target the developing technology.

As governments around the world push to develop smartphone apps to track the spread of COVID-19, there have already been incidences of malicious apps propagated by sophisticated threat actors to inject malware and harvest information stored on victims’ devices. In early June 2020, Anomali cyberthreat researchers identified fake COVID-19 contact tracing apps that imitated 12 official government Android versions worldwide, including Singapore’s TraceTogether*. The fake apps were distributed by various threat actors through various means, such as third-party stores, outside the official Google Play Store. The fake apps have built-in capability to download malware including Anubis – a banking malware that harvests credentials and sensitive information, and SpyNote – a malware that monitors and exfiltrates data from infected devices^[7].

*Advisories have been published by SingCERTand TraceTogether app developers to warn users against downloading apps outside the official Google Play Store and Apple’s iOS App Store.

Threat actors take advantage of the trust that people place in apps released by government agencies to aid their cause. This is especially the case as governments worldwide are ramping up measures to contain the further spread of the virus following exit from COVID-19 lockdowns. Notably, when the Indian government made their contact tracing app mandatory for all public and private sector employees, (a reported 100 million downloads within 6 weeks^[8]), threat actors were quick to spoof the official app, with the fake app appearing on cyberthreat researchers’ radars in approximately a month. Similarly, both Italy^[9] and Canada’s^[10] official contact-tracing app were spoofed with the end goal of delivering ransomware to unsuspecting victims who downloaded the fake apps. While the spoofing of contract tracing apps appears to be largely uncoordinated incidents, the COVID-19 theme continues to be exploited by threat actors as countries navigate the path from lockdown to recovery

A BALANCING ACT FOR PUBLIC HEALTH, PRIVACY AND SECURITY

The fears of data being misappropriated are not unfounded amid observations of malicious campaigns targeting both human and technological vulnerabilities. Yet, it is generally acknowledged that without contact-tracing technology, the fight against the spread of COVID-19 would be much longer drawn. In the “COVID Tracing Tracker” database by MIT Technological Review which lists state-backed automated contact tracing apps, Singapore’s TraceTogether ticked all the boxes in terms of safeguarding of rights and transparency^[11] – boding well for allaying privacy concerns.  Regardless of the developmental, privacy and security issues, in the absence of a COVID-19 vaccine, contact tracing apps are here to stay. Countries will continue to contend with privacy and security concerns, whilst balancing the demands of a public health emergency. In the realm of cybersecurity, the continued development of contact tracing technology, coupled with time pressure, represents a burgeoning attack surface for malicious actors, which calls for heightened vigilance and a constant push to improve data security.

References

• [1] Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing

• [2] Feasibility of controlling COVID-19 outbreaks by isolation of cases and contacts

• [3] Digital contact tracing can slow or even stop coronavirus transmission and ease us out of lockdown

• [4] Global contact tracing app downloads lag behind effective levels

• [5] Annex B: Digital tools for effective contact tracing

• [6] Public Health or Privacy Concern? The Debate over Contact-tracing Apps

• [7] Anomali Threat Research Identifies Fake COVID-19 Contact Tracing Apps Used to Download Malware that Monitors Devices, Steals Personal Data

• [8] Aarogya Setu: Why India's Covid-19 contact tracing app is controversial

• [9] [F]Unicorn Ransomware Masquerading as COVID-19 Contact Tracing App

• [10] Mobile ransomware disguised as upcoming Canadian Covid-19 contact tracing app

• [11] A flood of coronavirus apps are tracking us. Now it’s time to keep track of them