The convenience, power and mobility enabled by smartphones make them ideal for everything from checking store opening times to determining whether you’ve been near a Covid-19 outbreak. This utility also brings with it a sense of familiarity that can make us careless about how we use our phones.
Few users have the capacity to review every (web) action taken, not to mention the download of every application, as potentially dangerous. This alone is reason enough to choose a reputable mobile security app, like ESET Mobile Security (EMS), that can scan and block threats, while also helping the user raise awareness of security practices.
Try EMS for free
Apps like EMS can limit a huge cross-section of risks to mobile devices and their users. However, the threat environment faced by users is always evolving new angles. So when our researchers discovered a new ransomware type, since named CryCryptor, on June 22, 2020, we thought we’d share this reminder to protect your “most used device.”
CryCryptor has been targeting Android users in Canada. It is distributed via two websites under the guise of an official Covid-19 tracing app provided by Health Canada. ESET researchers analyzed the ransomware and created a decryption tool for the victims. In fact, CryCryptor surfaced just a few days after the Canadian government officially announced its intention to back the development of a nationwide voluntary tracing app called COVID Alert. The official app is due to be rolled out for testing in the province of Ontario as soon as next month.
Normally, a newly released app would have been vetted by the security teams tasked to protect the Google Play Store, as well as the Google App Alliance, which includes ESET. ESET researchers informed the Canadian Centre for Cyber Security about this threat as soon as it was identified.
Figure 1. One of the malicious distribution websites; the other one has an identical design and differs only in its domain, covid19tracer[.]ca.
Once the user falls victim to CryCryptor, the ransomware encrypts the files on the device – all the most common types of files – but instead of locking the device, it leaves a ReadMe file with the attacker’s email in every directory with encrypted files. Fortunately, we were able to create a decryption tool for those who fall victim to this ransomware.
After we spotted the tweet that brought this ransomware to our radar (the researcher who discovered it mistakenly labeled the malware as a banking trojan), we analyzed the app. We discovered a bug that allowed us to create the decryption tool – an app that launches the decrypting functionality built into the ransomware app by its creators.
How does it encrypt?
After launch, the ransomware requests permission to access files on the device. After obtaining that permission, it encrypts files on external media with certain extensions. The files are encrypted using AES with a randomly generated 16-character key. After CryCryptor encrypts a file, three new files are created, and the original file is removed.
Figure 2. Files after encryption.
After all the target files are encrypted, CryCryptor displays a notification: “Personal files encrypted, see readme_now.txt.” The readme_now.txt file is placed in every directory with encrypted files.
Figure 3. File encryption notification (left) and contents of the readme_now.txt file (right).
Decryption and protection
The decryptor app can be downloaded here. Keep in mind that the ESET decryption app only works for this version of CryCryptor. Just as this ransomware was quickly spawned, new versions can arise just as fast. We have also prepared a video that explains the process of encryption and decryption.
Because of this discovery, all ESET products, including ESET Mobile Security, now provide protection against CryCryptor ransomware. On top of using a quality mobile security solution, we advise Android users to install apps only from reputable sources such as the Google Play store. For more, follow WeLiveSecurity for updates on threats to mobile security and other online security tips.
ESET Mobile Security features:
Antivirus, real-time and scheduled scanning, security report, activity log, remote lock, remote siren, tablet support, app lock, anti-phishing, proactive anti-theft, automatic update of virus database, connected home monitor, security audit and more.