A new ransomware family, which ESET detects as CryCryptor, has been targeting Android users in Canada under the guise of an official COVID-19 tracing app. ESET put an end to the attack.
BRATISLAVA – ESET researchers, thanks to a tweet announcing a discovery of what was thought to be Android banking malware, discovered a ransomware operation targeting Android users in Canada. Using two COVID-19-themed websites, the attackers behind the operation lured people to download a ransomware app disguised as an official COVID-19 tracing tool. Now, both websites are down. ESET researchers wrote a decryption tool for CryCryptor’s victims, based on a bug in the malicious app.
“CryCryptor contains a bug in its code that allows any app installed on the affected device to launch any service provided by the buggy app. So we created an app that launches the decrypting functionality built into CryCryptor,” explains Lukáš Štefanko, who conducted the research.
The targeting of the ransomware operation, including its timing, coincides with the announcement by the Canadian government of the intention to back the development of a nationwide, voluntary tracing app to be called COVID Alert.
“Clearly, the operation using CryCryptor was designed to piggyback on the official COVID-19 tracing app,” comments Štefanko.
With the malicious websites down, security vendors aware and the decryptor available, this app no longer poses a threat. However, this is true only for the one particular version of CryCryptor.
CryCryptor is based on an open source code. “We notified GitHub, where the code is hosted, but they don’t have an excellent track record in taking down malicious projects,” comments Štefanko.
ESET products provide protection against the CryCryptor ransomware, detecting it as Android/CryCryptor.A.
“Besides using a quality mobile security solution, we advise Android users to install apps only from reputable sources such as the Google Play store,” concludes ESET’s Štefanko.
For more details, read the blog post New ransomware posing as COVID‑19 tracing app targets Canada; ESET offers decryptor on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defences in realtime to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centres worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit https://www.eset.hk/ or follow us on Facebook.