Capitalizing on a Canadian government announcement pertaining to the development of a nationwide, voluntary Covid-19 contact tracing app, malicious actors this month created a fake version of such an app that in reality infects Android users with mobile ransomware.
According to a new blog post from ESET, the ransomware, dubbed CryCryptor, was found being distributed by two websites that falsely claim to represent Health Canada. The real Bluetooth-based contact tracing app, called “COVID Alert,” isn’t even available yet, but reportedly may be tested in the province of Ontario next month.
“Clearly, the operation using CryCryptor was designed to piggyback on the official Covid-19 tracing app,” says blog post author and malware researcher Lukáš Štefanko in a company press release.
The two malicious domains were listed as tracershield[.]ca and covid19tracer[.]ca and the name of the fake app was Covid-19 Tracer App.
“This is yet another example of attackers using the current Covid-19 situation as an attack vector on people,” added Erich Kron, security awareness advocate at KnowBe4. “Given the emotional nature surrounding the pandemic and the latest spikes in new cases, the bad actors have no problem cashing in on the chaos.”
“Hearing about a COVID-19 tracker through official government channels, people are more likely to look for and install an app, especially when it is made to look official,” Kron continued. “Once this trust is established, people are more likely to dismiss any suspicions when the tracking app requests access to files on their device and approve the request. This opened the door for the attack to be successful.”
ESET, which credits discovery CryCryptor to a reverse engineer who uses the handle @ReBensk on Twitter, analyzed the ransomware and was able to devise a decryption tool for it.
Štefanko says CryCryptor requests permissions to access files and, if granted, employs an AES algorithm to encrypt most common file types on external media, using a randomly generated 16-character key. It then drop a “readme” file containing the attacker’s email contact information into any directory holding affected files. The device is not locked, however.
“After CryCryptor encrypts a file, three new files are created, and the original file is removed,” Štefanko says in his blog post. “The encrypted file has the file extension “.enc” appended, and the algorithm generates a salt unique for every encrypted file, stored with the extension “.enc.salt”; and an initialization vector, “.enc.iv.”
Kron said he found it interesting that .jpg, .png and .avi files were targeted. “By encrypting photos and videos on the external storage on the phone as opposed to simple documents, the attackers are making it personal and attempting to improve their odds of payment. People tend to keep a lot of personal photos on their devices, which makes them a prime target.”
ESET reports CryCryptor is based on open-source code that was placed on GitHub on June 11 by developers who call the program CryDroid. While the developers claim on the GitHub page that published the code for research purposes, ESET asserts that such claims are dubious.
“In an attempt to disguise the project as research, they claim they uploaded the code to the VirusTotal service. While it’s unclear who uploaded the sample, it indeed appeared on VirusTotal the same day the code was published on GitHub,” Štefanko writes. “We dismiss the claim that the project has research purposes — no responsible researcher would publicly release a tool that is easy to misuse for malicious purposes.”
Just one day after the CryDroid code was published on GitHub, the first of the two domains that would distribute the fake Canadian Covid-19 app was registered; the second was registered on June 21. And the app itself was compiled on June 18. ESET says it alerted the Canadian Center for Cyber Security on June 23 and the two domains stopped responding the same day.
ESET says it was able to create a decryption tool thanks to an “Improper Export of Android Components” bug its researchers discovered in the malware’s code. “Due to this bug, any app that is installed on the affected device can launch any exported service provided by the ransomware. This allowed us to create… an app that launches the decrypting functionality built into the ransomware app by its creators,” the blog post states.
ESET advises users to only download apps from reputable online marketplaces such as Google Play.