The Indian Computer Emergency Response Team (CERT-In) has warned users about the fake apps masquerading as CoWin, which is the official platform for booking COVID vaccination slots or registering for the vaccine. The CERT has reported that the apps are being circulated through viral SMSes.
The CERT-in has alerted users about the fake CoWin apps that are sneaking into the phones of users and gaining illegal access to the sensitive information of users. The SMS that is doing the rounds claims to provide apps to users to get themselves registered for the COVID-19 vaccine. It has been reported that the language of the SMS changes from time to time but it carries one of the five APK links that the CERT-IN has warned users about. Following are some of the APK files that are being circulated- Covid-19.apk, vaci_regis.apk, myvaccine_v2.apk, cov-regis.apk, vccin-apply.apk.
“The SMS carries a link that installs the malicious app on Android-based devices, which essentially spreads itself via SMS to victims’ contacts. The app also gains unnecessary permissions that attackers could leverage to acquire user data such as contact list,” CERT-in said in its advisory.
The SMS convinces users to download any of the APK links on their smartphone. Notably, none of these APK links redirects you to Google Play Store or Apple App Store when you click on it. The APK instantly gets downloaded on your smartphone when you tap on it. No authorized app can get downloaded on your phone instantly, the phone would first ask for your permission but nothing like that happens when you click on one of these APKs. Such files are being sent with the intention to steal passwords and other sensitive information of users. CERT-In urged has urged users to “beware about phishing and fake domains, emails, text messages and phone calls which falsely claim covid vaccine registrations.”
Users should be wary that the only authorised platform to book the COVID vaccination slot is the Cowin website. The Aarogya Setu can also be used to do the same. Any other app which claims to do is mostly fake.