Australia’s anti-vaccine activists have made themselves easy targets for cybercriminals by embracing fake check-in apps and forged vaccination certificates that could attract significant penalties if used – and, security researchers warn, are increasingly riddled with malware.

The risks of fake QR codes have already been documented but authorities were stunned by reports that an entire fake check-in app, circulating on websites and anonymous messaging platform Telegram, allows users to simulate checking into retail locations without actually transmitting any data to government contact tracers.

The app – which appears to be hosted on a Russian website, creating jurisdictional challenges for Australian authorities that would surely like to see it taken down – emulates the look and feel of the NSW, Victoria and Queensland government apps.

The real apps scan a store’s QR code, transmit customer details to a government database, and display a distinctive checkmark that can be showed to staff; the fake lookalikes work the same way but don’t transmit any information.

Users enter the name of the store they’re entering, which may be a tipoff for eagle-eyed employees if the text doesn’t exactly match the legal business name under which the store is registered.

Effective contact tracing has been fundamental to government efforts to stem Australia’s ongoing third wave of COVID-19 – which has killed more than 50 people, hospitalised hundreds more, and spawned thousands of new cases as the Delta strain spreads across the country faster than lockdowns can contain it.

Hundreds of exposure sites have recently been added in NSW alone, based both on the tireless efforts of contact tracers and the data provided by customers respecting the legal requirement to check into businesses they frequent.

Yet even as authorities fight to keep up with the fast-spreading virus, revelations that some were using apps to circumvent the system were poorly received by authorities.

“Falsifying contact tracing information is not only illegal, but it puts them, their families and the entire community at risk of COVID-19 transmission,” a spokesperson for federal Health Minister Greg Hunt told Guardian Australia, adding that “states and territories have responded swiftly to anyone found to be wilfully breaching public health orders and we trust they will continue to do so.”

Part of a global movement

The apps are the latest in a scourge of fake apps flagged by authorities in countries like the UK, Singapore, and India – which was earlier this year fighting malware-laden fake versions purporting to be mobile app versions of the government’s CoWIN vaccination-registration software.

Conspiracy theorists and anti-vaxxers have also been flogging fake credentials such as badges purporting to justify mask-wearing exemptions, and fake vaccination certificates.

The latter have become so rife online that leading US Senator Chuck Schumer publicly called for a crackdown by the US Justice Department and US Customs and Border Protection, which has intercepted numerous overseas parcels containing bulk volumes of fake vaccination cards.

Security researchers at Check Point Software Technologies recently observed a 257 per cent increase in sales of the cards through Telegram; the cards are also offered for sale on darkweb forums for around $135 ($US100) tailored for nearly every country offering them.

The cards are marketed as providing “registered vaccine certificates, vaccine cards and vaccine passports, for all those who don’t want to take the Vaccine… you don’t need to take the jab to have them [and] travel or work freely.”

“Vendors are choosing to advertise and do business on Telegram because it scales their distribution,” said Check Point head of products vulnerabilities research Oded Vanunu, “[but] I strongly recommend people to not engage these sellers for anything, as these vendors are after more than just selling you fake vaccination cards.”

Falsely using a US government agency’s seal carries a potential prison sentence and similarly strict punishments are already provided for in Australia – where Sydney, for example, imposes a $5,000 fine for lying to contact tracers or lying on a permit.

Yet the biggest surprise for users of the fake apps may be the likelihood of infection by malware, which has been observed in fake COVID-related apps and QR-code hijacking since the pandemic began.

Security researchers at Anomali last year identified a dozen malicious fake contact-tracing apps that were in fact thinly disguised malware loaders.

Australian Reddit users were quick to point out the foolishness of assuming that the new Russian contract-tracing simulator would be any better – with some comparing it to the fake AN0M messaging app used by police in a worldwide sting earlier this year.

“Anyone using a fake check in app is an absolute sucker,” one observer noted, while another called the app “an effective way to find the most gullible in society”.

“As usual,” said a third, “they are farming the dumbest among us.”