A new spyware campaign that uses both cryptocurrency and coronavirus as lures may be ready to strike iPhone and Android users.

Tom'sGuide took a closer look at the domain names and companies listed in Trend Micro's report and found information that blurs the line between legitimate online companies and possible criminal activity.

Android spyware apps can steal Facebook messages, WhatsApp messages, text messages, contact lists, call history, photos, location and device information from infected phones.

Although iOS apps have fewer information-stealing capabilities, Trend Micro believes that "apps may still be in development or in hiding, waiting for the 'right time' to inject malicious code."

Two of these apps are still available in both the Google Play and iOS app stores, but Trend Micro says the apparent malware "coding style suggests that the cybercriminals behind this campaign are amateurs." It noted.

If you are an Android user, you will want to protect yourself with the best Android antivirus apps. iPhone has no such antivirus software, but Apple told Trend Micro that iOS's "sandbox detects these malicious activities, . can detect and block these malicious activities."

The app appears to originate from a company called Concipit 1248, whose website declares it to be "the first cashback platform on the blockchain." The company offers a white paper explaining its business model, and its executives appear to be of mixed Pakistani and Italian descent; Concipit 1248 appears to be based in Estonia, and its website appears to be perfectly legitimate.

However, Concipit 1248 is associated with a website called Cashnow.ee. (The best anti-virus software blocks access there.)

Its subdomain is called "spy.cashnow.ee" and features a "V for Vendetta" mask with "Project Spy 201" and "Target Mr. Anonymous. It appears to be a full cybercrime site, including a flashy background animation that references "Anonymous.

As a result, Trend Micro calls the entire operation "Project Spy.

Concipit 1248 currently has two apps, Concipit 1248 and Concipit Shop, in both the Google Play and iOS app stores.

The former has to do with the Ethereum cryptocurrency, while the latter appears to be a cash-back platform for online shopping. Both apps' self-descriptions are a salad of trendy tech/business buzzwords.

Trend Micro investigated the iOS version of the Concipit 1248 app and found it communicating with the "spyware.cashnow.ee" server. It is unclear whether Trend Micro investigated or was aware of Android versions of these apps.

The unraveling of this threat thread began last month when Trend Micro investigated a fake Android app called "Coronavirus Updates."

Tom's Guide found Coronavirus Updates in the official Google Play store. While we could not find it, Trend Micro's report suggested that the app had been there for some time.

Coronavirus Updates, as mentioned above, steals all sorts of information from Android phones; like the Concipit 1248 app for iOS, it dials up and logs into the aforementioned "spy.cashnow.ee" server.

Trend Micro discovered that "spyware.cashnow.ee" was also used in previous Android spyware apps, including a music sharing app that appears to be a fake version of TikTok. The app is no longer offered, but the developer was listed on Google Play as Concipit 1248.

Registry information for both the "concipit1248.com" and "cashnow.ee" domains is hidden in a privacy proxy, but Tom's Guide found the contact name and e-mail address for "cashnow.ee" listed with the Estonian domain registrar We found the email address. ("EE" is the suffix for the Estonian top-level domain.)

The contact name for "cashnow.ee" matches the name of the founder of Concipit 1248 as listed in the company's white paper, as well as the name of a 38-year-old man who is part of the management team of an Estonian company called CashNow.

The contact email address apparently refers to Concipit 1248; Tom's Guide sent a message to the company seeking comment on Trend Micro's report.

Trend Micro noted that "we will continue to monitor this campaign for further developments, as this is a group we have not observed before."

Tom's Guide must emphasize that these various companies and websites are perfectly legitimate and may not be involved in anything illegal; even the "spyware.cashnow.ee" website may be a cynical joke. But there is plenty of circumstantial evidence to suggest otherwise.

.