Android Ransomware Called CryCryptor Is Concealed Using a Fake COVID-19 Tracing App in Canada
On Tuesday, an independent reverse engineer going by the Twitter handle Re-ind stumbled upon a couple of recently registered domains trying to push a malicious Android application. Re-ind's initial investigation suggested that the crooks were distributing a banking trojan, but after researchers from ESET took a closer look, they realized that it's actually a new strain of ransomware called CryCryptor. At first glance, it looked like the campaign was the brainchild of a sophisticated cybercriminal gang.
Cybercrooks take advantage of the COVID-19 pandemic again
The malicious websites were set up mere days after Justin Trudeau, Canada's Prime Minister, announced that the government is backing the development of a COVID-19 contact tracing application. Like other countries around the world, Canada is in the process of launching an app that is supposed to alert people who have been in close contact with confirmed coronavirus cases. The application is still under development, and it will most likely be launched early next month. The cybercriminals were hoping that people would be unaware of this.
They put a lot of effort into disguising the CryCryptor ransomware as Canada's upcoming COVID-19 contact tracing app. The landing pages did a fine job of impersonating the Canadian Government's website, and, as ESET's researchers pointed out, the usual grammatical and spelling errors were missing.
There were a couple of paragraphs introducing the app and explaining its benefits, and to the left of them, there was a giant "Get it on Google Play" button. Confusingly, a rather fine print underneath the said button read that Google Play was still in the process of approving the application, which is why downloading the app was only possible from "our server." Apart from that, there was virtually nothing that could give away the scam.
Shortly after discovering the threat, ESET's researchers notified the Canadian Center for Cyber Security, and within hours, the malicious websites were down. Of course, before that happened, the experts took a closer look at the CryCryptor ransomware.
CryCryptor is not a very sophisticated threat
Many Android ransomware strains avoid the complicated business of encrypting data and instead simply change the device's password. CryCryptor isn't one of them.
The ransomware scrambles the data with AES, puts it in a file with a .enc extension, and removes the original file. For each encrypted file, the ransomware creates two others that contain a unique salt and an initialization vector.
After the encryption is done, CryCryptor tells the user that their data has been encrypted and urges them to follow the instructions in the "readme_now.txt" file. The ransom note doesn't state the actual ransom amount and instead gives the user a unique ID and an email address they need to contact. Fortunately, the crooks' demands aren't that relevant in this particular case because files encrypted by CryCryptor can be retrieved for free.
ESET's researchers reverse-engineered the ransomware and found out that to avoid transferring the encryption key to and from the Command & Control server (C&C), the crooks had decided to store it on the device. Thanks to this, the security experts were able to create and release a free decryption tool that helps users affected by CryCryptor retrieve their data without paying the ransom.
Further investigation confirmed that the criminals were rather lazy when they were preparing the technical side of their attack. They didn't even bother to come up with their own ransomware family. Instead, they based CryCryptor on CryDroid, an Android ransomware strain that was recently open-sourced through GitHub.
The problem with open-source ransomware
The Read Me file in CryDroid's repository says that the author is a security expert who wants to share the code with fellow researchers and that the malware shouldn't be used for attacking innocent victims. Clearly, this didn't stop the cybercriminals from abusing it. In fact, the code became public on June 11, and just a week later, it was already rebranded and ready to be unleashed on Canadian users.
This is not the first time this has happened, either. In 2015, a security expert used GitHub to share a Windows ransomware threat called Hidden Tear for what he claimed was research purposes. He inadvertently spawned a wide variety of file-encrypting threats that continue to torment users to this day. Most campaigns based on publicly available malware might be small and relatively harmless, but that doesn't change the fact that even with the best intentions in the world, open-sourcing malicious code is making the cybercriminals' lives a lot easier. In this day and age, security experts should know better than this.