Two weeks ago, millions of Iranians simultaneously received a notification on their smartphones from the Iranian Ministry of Health about the need to install an application supposedly allowing them to diagnose the coronavirus.
“Dear compatriots, before going to a hospital or health center, install this program to check if you or your loved ones are infected with the coronavirus,” the notification says. The message also includes a link to the Iranian application store Cafe Bazaar, from where you need to download the AC19 application developed by the Ministry of Health.
Of course, the application cannot diagnose a coronavirus in a person in any way. What it really can do is collect confidential user data (name, address, date of birth) and track his movements in real time.
Once loaded onto the device, the AC19 asks for phone number verification (although the Iranian government already controls all numbers through carriers), as well as permission to collect accurate location data, which is then sent to government-owned servers.
Permission requests for certain actions are part of Android, and users can choose to accept or reject them. However, the problem is that in AC19 the requests are displayed in English and most Iranian users do not understand their content, so they blindly agree. Moreover, 40% of users in Iran have old versions of Android installed on their smartphones, on which the application asks for nothing at all, but simply collects user data without their consent.
According to security researcher Nariman Gharib, AC19 uses the Android library typically found in fitness apps to track motion. “They (the government - ed.) Can literally track you. If your device moves from point A to point B, they will see it in real time, ”Garib told VICE News.
