Enterprise employees and Army Personnel specifically targeted: Aarogya Setu


There is no doubt that Government is trying it’s level best to protect the netizens of the country by providing the food,cloth and shelter and now with the huge funds alloctaion to protect the Industrial growth and incentives to farmers and needy mass but the recent Aarogya Setu raises many questions on its security vulnerability.

There is meteoric rise in attempts centred around COVID-19, and Aarogya Setu have become a major phishing scandal in the last 12 days starting April 28, 2020, with a massive spike beyond May 4, 2020. 


The Home Ministry in India earlier notified that the app is mandatory for all public and private sector organisations resuming work, and lay the onus of compliance of the head of the organisation, opening up CEO scams, Business Email Compromise (BEC) scams to rise even further specifically after this was announced in Early May 2020. The number of attacks, and the variety of attacks ranging from but not limited to ‘HR release on Aarogya Setu’, ‘HR mandates Aarogya (sic) Setu’, ‘Your neighbour is affected’, ‘See who all are affected’, ‘Your area is the next to go into quarantine’, and many others are doing the rounds. 


“The massive rise in Aarogya Setu focussed scams has seen a meteoric rise among enterprise customers, specifically since the Indian government mandated the use of it for public and private organisations’ employees, and putting the onus of 100 percent compliance on the head of the organisation. Scammers have seen this as a huge opportunity because people expect to hear from their CEOs, Heads of organisations and HR departments at such times, meaning that emails will be opened, and employees baited. On our part, we have opened up our tool to organisations public and private to use it free to counter this threat.”, said Ankush Johar, Director at HumanFirewall and Infosec Ventures.


The Indian armed forces had also issued an advisory that ‘Inimical intelligence agencies’ are spreading fake Aarogya Setu apps via WhatsApp (whishing), SMS (smishing) and phishing emails. These fake apps take control of the army personnel’s devices and pose a huge risk, as affected phones can record voices, track locations, take videos without the user knowing. Earlier Google said it was blocking 18 Million phishing emails a day related to COVID-19 alone. Globally too, the HumanFirewall anti-phishing lab has seen a rise of over 700%, i.e 7X increase in phishing attacks in April 2020. 


Among its globally distributed customers spread across 142 countries, HumanFirewall’s, internal anti-phishing labs team has been battling a rise of over 700% in overall attacks, where COVID19 is the single biggest contributor over April and the first 9 days of May 2020. Aarogya Setu was seen as an outlier in this threat intelligence from Apr 28, 2020, onwards until the time of this release on May 13, 2020.


Hence, it is time for the Government to check the security issue,which has been noticed by the Global experts into cyber security and there is absolutely no harm,in upadating the recomended features. After all, if we could make the app robust ,then there is always an added advantage. Expert concludes.