ESET experts discovered the CryCryptor ransomware, which targets Android users and masks as a COVID-19 monitoring application.CryCryptor appeared just a few days after the Canadian government officially announced its intention to support the development of a national application for voluntary monitoring of the spread of coronavirus called COVID Alert.
Attackers urged users to download the malware through two supposedly Canadian sites dedicated to coronavirus. Both resources are currently locked.
Initially, CryCryptor requested permission to access the victim’s data and encrypted files on the device. Malware left a Readme_now.txt file in each directory with a ransom demand and the criminal’s mail address.
CryCryptor was created on the basis of the open-source cryptor CryDroid, whose source code is freely available on GitHub. ESET notes that the developers of this “product” should have known that their code would be used for malicious purposes“, – told ESET researchers.
In an attempt to conceal their malware and mask it as a research project, they wrote that they downloaded the sources in VirusTotal (and experts confirm this). However, experts notified GitHub engineers about the origin of this code.
However, the developers of CryCryptor made a mistake like Improper Export of Android Components, which MITER classifies as CWE-926.
Due to this bug, any app that is installed on the affected device can launch any exported service provided by the ransomware. This allowed us to create the decryption tool – an app that launches the decrypting functionality built into the ransomware app by its creators”, – ESET experts write.
Despite the fact that ESET specialists were able to quickly create a utility for decrypting data, with which victims can regain access to files, the decryptor is relevant only for the studied version of the malware, and in other cases it may be useless.
ESET experts once again urge users to download and install applications only from official stores. In addition, they advise carefully consider the permissions that the program asks for, even if its developers are not suspicious.
I also remind you that Old Faketoken Trojan Activates Due to COVID-19.
User Review( votes)