The first wave of the campaign stopped on June 10, 2020. The attacker then resumed their campaign on June 11, 2020, spreading an upgraded version of the malware and wreaking havoc. The sample was compiled on Thursday, June 11, 2020 10:39:47 PM UTC and caught by Palo Alto Networks Next-Generation Firewall.

Faced with malware that displayed no additional functionality nor suspicious permissions on top of Accessibility Services, all known security mechanisms failed to trigger any alarm. As a result, DEFENSOR ID made it onto the Google Play store, stayed there for a few months and was never detected by any security vendor participating in the VirusTotal program.

While some cybercriminal groups have stated publicly that they will refrain from targeting hospitals and other critical institutions with ransomware during the coronavirus lockdown, others may have no such qualms.

According to a new Mimecast report – entitled 100 Days of Coronavirus- that tracks cybercrime activity since the start of the coronavirus outbreak, the volume of malicious and opportunistic cybercrime across all types of cybercrime has increased significantly by 33% in the period January to March 2020.

Individuals and organizations are likely to face increased cyberthreats from malicious actors attempting to target weakened network security as a result of more people teleworking.