Fraudulent Apps on the Google Play Store: COVID-19 Contact Tracing Edition

Cryptographers around the world are still designing privacy-preserving contact tracing systems for combating the spread of COVID-19.

Even though some papers have been published (one using zero-knowledge proofs, another based on blockchain (sigh)), the ink is still very wet. The first framework designed by Apple and Google needs work but was surprisingly not god-awful.

That is to say: As of 2020-05-08, there is currently no implementation of privacy-preserving contact tracing available to the world. It might be coming soon, but it ain’t here yet.

But a quick search through the Google Play Store would surely lead you to believe otherwise.

What you see when you search “contact tracing” on the Google Play Store.

The first thing that leaps out is that there are two advertisements for things that are mostly irrelevant to contact tracing. Since “contact tracing” is a hot topic (and will only become increasingly hot when the real apps are ready to be deployed), it’s clear that there’s a profit incentive at work.

But with a little further study, we can see that this profit motive persists as we look down the list.

Ads and in-app purchases? That sure fits the “contact tracing” use case.
You’re awfully SURE of yourself, aren’t ya?

The first one (an app named simply “Contact Tracing”) was first published in March 2020, so it was clearly created to capitalize on the pandemic.

The source code for their app (which was written in Cordova, and thus didn’t even require any effort reverse-engineering) contains a lot of references to a product named “Crypto Account Manager” by the same company.

In case anyone needs it, their contact information is apparently: Piusworks LLC. 969G Edgewater Blvd. #750. Foster City, CA 94404.

Ah yes, Cryptocurrency! That’s exactly what an Android user wanted when they search for “contact tracing”.

This is exactly the kind of disingenuous behavior you expect from the sorts of bottom-feeders that would capitalize on a pandemic for profit.

Worth noting: The CDC app at the bottom was legitimate, but their development team is clearly having a tough time.

I can relate to your struggles, CDC-employed app developers.

There’s probably a lot more to be found (if anyone wants to take the time). You might even find actual Android malware. (As far as I can tell, these apps are only trying to exploit humans, not machines, so I cannot classify them as malware.)

But what you won’t find is a privacy-preserving contact tracing app, so don’t look for it just yet.

Want to know when one is available? Follow me on Twitter for updates: @SoatokDhole.

Which Apps Aren’t Fraudulent?

The CDC app, which was originally created for Tuberculosis contact tracing, is legitimate (but not privacy-preserving in the way that cryptographers care about).

The TraceTogether app is the contact tracing app produced by the Singapore government.

The Takeaway

Just because it’s in the Google Play Store doesn’t mean it’s authentic or trustworthy. This should be common knowledge, but it never hurts to remind everyone.

That being said, I really wish Google would police its app store better.

I also wish they would forbid advertisements relating to national or global emergencies; i.e. COVID-19.

By Soatok

Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!

2 replies on “Fraudulent Apps on the Google Play Store: COVID-19 Contact Tracing Edition”

Bark My Way

This site uses Akismet to reduce spam. Learn how your comment data is processed.