New Android ransomware already active in the wild has caught the researchers’ attention. Identified as CryCryptor, this ransomware masks itself as a COVID-19 contact tracing app. It predominantly targets Android users in Canada.
CryCryptor Ransomware Targeting Android
In a recent post, researchers from ESET security have shared details about new ransomware. Dubbed as CryCryptor, this ransomware appeared on Google Play Store by masquerading as an Android COVID-19 contact tracing app.
The ransomware first caught the attention of another researcher who initially described it as a banking Trojan.
#Android #Banking #Trojan #Malware@Spam404 @malwrhunterteam
— Re-ind (@ReBensk) June 23, 2020
However, after further analysis of the app, ESET could establish that it’s ransomware – that too – a new one.
In brief, the ransomware reaches a target device after a user downloads the fake app. It then requests permission to access device files. Once granted, it then encrypts all major types of files in the device. Regarding this encryption, the researchers stated,
Selected files are encrypted using AES with a randomly generated 16-character key. After CryCryptor encrypts a file, three new files are created, and the original file is removed. The encrypted file has the file extension “.enc” appended, and the algorithm generates a salt unique for every encrypted file, stored with the extension “.enc.salt”; and an initialization vector, “.enc.iv”
However, unlike a PC ransomware that locks the victim out, CryCryptor simply leaves a ransom note after encryption. It displays a notification on the victim’s device asking to see the text file it left in every directory with encrypted files.
Good News – Decryption Tool Available
CryCryptor predominantly targeted the Android users in Canada as it surfaced online right after the government announced such a move. However, the official app is yet to appear online.
Thankfully, ESET researchers have some good news for the victims.
They found an “Improper Export of Android Application Components” (CWE-926) that allows other apps to use a component of the specified app.
Leveraging this bug, they developed a decryptor for CryCryptor (or CryDroid as named by the threat actors), making which wasn’t so difficult for them as the ransomware relies on open source code on GitHub.
Thus, the victims can get rid of this ransomware by downloading the decryptor. Nonetheless, all users must remain very careful while downloading even from the official app stores.