ESET experts discovered CryCryptor ransomware targeted at Android users. The malware masquerades as a COVID-19 situation monitoring tool. CryCryptor appeared just a few days after the Canadian government officially announced its intention to support the development of a national application for voluntary monitoring of the spread of coronavirus called COVID Alert.
Attackers urged users to download the malware through two supposedly Canadian sites dedicated to coronavirus. Both resources are currently locked.
At startup, CryCryptor requested permission to access the victim’s data and encrypted the files on the device. Malvar left a Readme_now.txt file in each directory with a ransom demand and the criminal's mail address.
Researchers found that CryCryptor was built on the basis of the open-source CryDroid encryptor, whose source code is freely available on GitHub. ESET notes that the developers of this "product" should have known that their code would be used for malicious purposes. In an attempt to disguise their malware as a research project, they wrote that they downloaded the source code in VirusTotal (and experts confirm this). However, experts notified GitHub engineers about the nature of this code.
However, CryCryptor developers made a mistake like Improper Export of Android Components, which MITER classifies as CWE-926. Thanks to this, ESET experts were able to quickly create data decryption utility, through which victims can regain access to files. However, the decryptor is relevant only for the studied version of the malvari, and in other cases it may be powerless.
ESET experts once again urge users to download and install applications only from official stores. In addition, they advise you to be careful about the permissions that the program requests, even if its developers are not suspicious.