Hackers Spreading CryCryptor Ransomware Disguised as Canada’s COVID-19 App

During the COVID-19 pandemic, the healthcare industry is being plagued by a myriad of cybersecurity-related issues. Recently, a brand-new malware family strain has arisen in Canada, targeting Android users and locking up personal photos and videos.

What happened

When Health Canada announced the launch of a tracing app against COVID-19, the CryCryptor malware operators started doing rounds. The ransomware was traced back to GitHub after its source code, named as CryDroid, was made public on 11 June.
  • In June, ESET researchers discovered that the CryCryptor operators lured Canadian people into downloading a ransomware app disguised as an official COVID-19 tracing tool.
  • The malware was propagating via two different bogus websites (covid19tracer[.]ca and tracershield[.]ca).
  • Once gained access, the malware encrypted targeted files by adding extensions (‘.enc’, ‘.enc.salt’, and ‘.enc.iv’) and removed the original file from the infected computer. The ransomware left a text file “readme” in each directory where encrypted files were stored.

No longer a threat

  • ESET researchers found a security weakness, labeled as CWE-926, in the malicious app (Android/CryCryptor.A.), and created a decryption tool to decrypt the files on the affected device.
  • This ransomware can also be detected and removed using the Windows Defender Antivirus.

Other malicious apps

Threat actors have been distributing fake Android apps themed around official government COVID-19 contact tracing apps and others.
  • In June, Anomali Threat Research found 12 malicious COVID-19-themed applications that appeared to be targeting citizens of multiple countries. These apps contained malware, primarily Anubis and SpyNote, and other generic malware families.
  • In May, the Chartered Trading Standards Institute (CTSI) of UK warned of a phishing scam themed around the Covid-19 app that fooled people into believing they have been in contact with someone who has tested positive for the virus.

Stay safe

Android users should install apps only from reputable sources. Adopt multi-factor authentication (MFA) and reliable endpoint solutions.