An app installed by over four million Iranian citizens has been taken down from the Google Play store, following accusations that it was spying on them and that it was misleading by design.
Over four million Iranians had installed the ‘AC19’ app after the Iranian government sent a mass SMS to all its citizens encouraging them to do so. Promising to detect coronavirus symptoms, the app was intended to help relieve the burden on the country’s hospitals from citizens rushing in to check whether their symptoms matched those of the deadly new virus.
However, since the app collected phone numbers and geographic location details, the government was soon accused of wanting to use it to spy on people. The country saw several large anti-government protests just prior to the coronavirus outbreak, in the aftermath of the revelation that the government had accidentally shot down a Ukrainian plane carrying several of Iranian citizens as well as foreign nationals.
#Breaking— 🤖Nariman (@NarimanGharib) March 7, 2020
Iran’s Health Ministry sent a message to Iranians asking them to use an app to check potential #coronavirus symptoms, before heading to the hospital.
We just uncovered that the Iranian regime is using this app as a tool to spy on Iranians.https://t.co/uH5MRYIv16 pic.twitter.com/2tjUMD26Jk
While Google gave no reason for pulling it from the app store, ZDNet reported that it could have been due to the misleading claim that the app could detect symptoms. The website also spoke to Android malware researcher Lukas Stefanko who said that it was not “a malicious Trojan or spyware.”
Iran’s Information and Communication Technology minister even shared a tweet showing a ‘risk map’ of the coronavirus based on the “data mining of 4 million participants in AC19 app”.
از دادهکاوی اطلاعات ۳ میلیون نفر از مشارکتکنندگان در اپلیکیشن ac19، این نقشهی میزان خطر احتمال ابتلا به #کرونا در مناطق تهران به دست آمد.— MJ Azari Jahromi (@azarijahromi) March 9, 2020
رسانه باشید تا دیگران نیز از مخاطرات اطراف خود آگاه شوند. لطفا در خانه بمانید!
#همهباهم برای ایران🇮🇷 pic.twitter.com/5slrA8iDhW
The French cybersecurity researcher who goes by the name ‘Elliot Anderson’ has explored the app to find out what data it collects and who it sends this data to. In a Twitter thread, Anderson connects the app to an Iranian app developer who has made products for the Iranian government in the past.
Anderson shows how the website offering direct downloads of the app was registered by a Mostafa Anoosheh, who was linked to an app developer that had earlier created clones of the popular messaging app Telegram, which were accused of spying on their users. In December 2018, Telegram started sending a message to users of these apps warning them that the app could be unsafe. The apps were removed from the Google Play store, and some reports claim their makers were linked to Iranian intelligence agencies.
Anderson also pointed out that since the app did not have ‘rate-limiting’, there was scope for it to abuse the OTP code validation process and possibly take over the users’ other accounts.
PS2: You can probably take over any user account in the app. There is no rate limiting in the otp code validation during the register process. So you can test all the possible code and boom. I didn’t test fully but it should work. But hey it’s a secret don’t tell anyone 🤫— Elliot Alderson (@fs0c131y) March 10, 2020
Anderson had earlier revealed how an estimated 67 lakh Aadhaar numbers could have been leaked by state-owned gas company Indane.
Iran currently battles the worst coronavirus outbreak in the Middle East. With over 7,000 cases and 237 deaths, Iran also faces mounting public panic after several officials have tested positive for the virus and some citizens indulged in activities like the ‘lick the shrine’ challenge.