Google has removed today an Android app from the official Play Store that was developed by the Iranian government to test and keep track of COVID-19 (coronavirus) infections.
Before being removed from the Play Store, controversy surrounded the app, and several users accused the Iranian government of using the COVID-19 scare to trick citizens into installing the app and then collecting phone numbers and real-time geo-location data.
In hindsight of accusations, ZDNet has asked Lukas Stefanko, an Android malware researcher at ESET, to review the app for any malicious or spyware-like behavior.
“Based on the analysis of the app’s APK, the app is not a malicious Trojan or spyware,” Stefanko told ZDNet earlier today.
A Google spokesperson did not respond to a request for comment on the reasons the app was removed; however, sources familiar with Play Store policies told ZDNet the app was most likely taken down because of its misleading claims — namely that it could detect COVID-19 infections, something that is impossible through an app.
Suspected COVID-19 patients are tested and confirmed as infected following a microbiological analysis of a throat swab.
AC19 — Iran’s national COVID-19 “detection” app
The app, which is named AC19, was released last week and was made available through a dedicated website, the official Play Store, and other third-party app stores.
The app was released while Iran is in the midst of a national health crisis, with the country being one of the most impacted countries in the world by the novel COVID-19 coronavirus.
After it’s release, Iran’s Health Ministry sent a mass SMS message to all Iranians urging them to install the app to check potential COVID-19 symptoms.
The app would let users register using their phone number and then ask Iranians to answer a series of questions related to coronavirus symptoms.
The idea was to let Iranians determine if they had severe symptoms, in order to prevent citizens from needlessly flooding local hospitals.
However, the app would also request access to real-time geo-location details, which it would immediately upload to a remote backend.
Ties to a suspicious app developer
Although access to this geo-location information was requested through a legitimate permission prompt that users had to agree, it was soon discovered that the app had been developed by a company that has previously built other apps for the Iranian regime.
The company, named Smart Land Strategy, previously built two Telegram clones named Gold Telegram and HotGram. Both apps were removed from the Play Store on accusations of secretly collecting user data, and reports at the time[1, 2, 3] claimed the apps were developed at the behest of Iranian intelligence agencies.
However, Stefanko said AC19 did not contain any suspicious behavior, and the app requested access to location data just like any regular Android app. Furthermore, being a health-related app, such a request wouldn’t be out of place for this category of apps, Stefanko added.
It is very likely that the app was caught in the crackdown against COVID-19-related content. Many tech companies that run app stores and online advertising platforms — like Apple, Facebook, and Google — have recently begun cracking down on COVID-19-related content, especially the ones that pretend to offer detection services, fake cures, peddle conspiracy theorists, or other misleading content.
But even if the AC19 app was clean at the moment, in hindsight of Smart Land Strategy’s ties to the previous Telegram clones, Iranian dissidents who requested we not name them in this article told ZDNet that the Iranian government could be using the current COVID-19 pandemic as a ruse to trick millions of Iranians into installing the app, collect their device and location details, and then install malware on their devices through a subsequent update.
What is certain at the time of writing is that millions of Iranians have already installed the app, and that the app’s data is reaching Iranian government bodies.
According to a tweet shared today by MJ Azari Jahromi, Iran’s Minister of Information and Communications Technology, the government has already collected location data points for more than four million Iranians with the help of the app.
Currently, while the app has been removed from the Play Store, the app is still being offered for download through the ac19.ir website and other third-party app stores.
AC19 app IOC: VirusTotal link.
Credit: Zdnet
