REPORT: Coronavirus Tracking Apps A ‘Honeypot’ For Hackers

Cellphone applications created so that users can self-report symptoms of COVID-19 — or even track nearby outbreaks using official data from the Johns Hopkins team researching the coronavirus pandemic — may be putting Americans at risk of being hacked according to a new report from Politico.

Coronavirus tracking apps released back in the early days of the pandemic were fraught with issues, infecting American cell phones with malware and other tracking software “retooled” to submit surveillance data to foreign hackers, CNET reported back in March.

A “coronavirus live” app, which claimed to provide users with up-to-the-minute data based on the Johns Hopkins numbers, was “actually tracking them: getting access to the device’s photos, videos, location, and camera. The camera access would allow the attackers to take photos and record videos and audio,” per CNET.

The latest wave of COVID-19 tracking apps, many of which invite users to submit health data and symptom information, were supposed to have been an improvement on those earlier applications, but Politico says the apps are sending sensitive personal information to nefarious characters.

“In the Qatar Covid-19 app,” the outlet reported Monday, “researchers found a vulnerability that would’ve let hackers obtain more than a million people’s national ID numbers and health status. In India’s app, a researcher discovered a security gap that allowed him to determine who was sick in individual homes. And researchers uncovered seven security flaws in a pilot app in the U.K.”

The problems aren’t limited to generally available apps. The official North Dakota state COVID-19 tracker app, for example, was “sending users’ location data to the digital marketing service Foursquare.”

The security holes are dangerous, particularly given that Americans are actively uploading sensitive personal information into databases. If users upload health information, it could be used as a way of facilitating identity theft. If they upload location and contact information and list names and addresses of contacts like clients, hackers could exploit business relationships or reveal confidential or protected data.

In aggregate, the information uploaded into a branded app could even provide foreign governments with an inside look at how the United States is faring during the pandemic and help identify weak spots where authority and control are minimal.

“You can think of all sorts of potential abuses for this information: finding out who visited a psychiatrist regularly, who sat near the pro-democracy activists at university, who wasn’t alone when they said they were,” one cybersecurity expert told Politico.

Experts suggest that, if users want to track the spread of COVID-19 and keep their information safe, they should resist the urge to download apps from third-party websites rather than the Google Play or Apple App Store, get their information from “credible sources,” and use privacy blockers before connecting to public wi-fi networks.