Jan 4, 2022
93 Views
0 0

New ransomware posing as COVID‑19 tracing app targets Canada; ESET offers decryptor

Written by

ESET researchers dissect an Android app that masquerades as an official COVID-19 contact-tracing app and encrypts files on the victim’s device
New ransomware CryCryptor has been targeting Android users in Canada, distributed via two websites under the guise of an official COVID-19 tracing app provided by Health Canada. ESET researchers analyzed the ransomware and created a decryption tool for the victims.
CryCryptor surfaced just a few days after the Canadian government officially announced its intention to back the development of a nation-wide, voluntary tracing app called COVID Alert. The official app is due to be rolled out for testing in the province of Ontario as soon as next month.
ESET informed the Canadian Centre for Cyber Security about this threat as soon as it was identified.
Figure 1. One of the malicious distribution websites; the other one has identical design and differs only in its domain, covid19tracer[.]ca.
Once the user falls victim to CryCryptor, the ransomware encrypts the files on the device – all the most common types of files – but instead of locking the device, it leaves a “readme” file with the attacker’s email in every directory with encrypted files.
Fortunately, we were able to create a decryption tool for those who fall victim to this ransomware.
RELATED READING: Mobile security threats amid COVID‑19 and beyond: A Q&A with Lukas Stefanko
After we spotted the tweet that brought this ransomware to our radar (the researcher who discovered it mistakenly labeled the malware as a banking trojan), we analyzed the app. We discovered a bug of the type “Improper Export of Android Components” that MITRE labels as CWE-926.
Due to this bug, any app that is installed on the affected device can launch any exported service provided by the ransomware. This allowed us to create the decryption tool – an app that launches the decrypting functionality built into the ransomware app by its creators.
After launch, the ransomware requests to access files on the device. After obtaining that permission, it encrypts files on external media with certain extensions, which are shown in Figure 2.
Figure 2. File extensions to be encrypted
Selected files are encrypted using AES with a randomly generated 16-character key. After CryCryptor encrypts a file, three new files are created, and the original file is removed. The encrypted file has the file extension “.enc” appended,  and the algorithm generates a salt unique for every encrypted file, stored with the extension “.enc.salt”; and an initialization vector, “.enc.iv”
Figure 3. Files after encryption
After all the target files are encrypted, CryCryptor displays a notification “Personal files encrypted, see readme_now.txt”. The readme_now.txt file is placed in every directory with encrypted files.
Figure 4. File encryption notification (left) and contents of the readme_now.txt file (right)
The service responsible for file decryption in CryCryptor has the encryption key stored in shared preferences, meaning it doesn’t have to contact any C&C to retrieve it. Importantly, the service is exported without any restriction in the Android Manifest (security weakness CWE-926), which means it is possible to launch it externally.
Based on this, we created an Android decryption app for those affected with the CryCryptor ransomware. Naturally, the decryption app works only on this version of CryCryptor.
The CryCryptor ransomware is based on open source code on GitHub. We discovered it there using a simple search based on the app’s package name and a few strings that looked unique.
The developers of the open source ransomware, who named it CryDroid, must have known the code would be used for malicious purposes. In an attempt to disguise the project as research, they claim they uploaded the code to the VirusTotal service. While it’s unclear who uploaded the sample, it indeed appeared on VirusTotal the same day the code was published on GitHub.
Figure 5. The open source ransomware
We dismiss the claim that the project has research purposes – no responsible researcher would publicly release a tool that is easy to misuse for malicious purposes.
We notified GitHub about the nature of this code.
ESET products provide protection against the CryCryptor ransomware, detecting it as Trojan.Android/CryCryptor.A. On top of using a quality mobile security solution, we advise Android users to install apps only from reputable sources such as the Google Play store.
We have prepared a video that that shows the process of encryption and decryption, along with our explanation.

https://covid19tracer[.]ca/
https://tracershield[.]ca/

source

Article Categories:
Malware

Comments are closed.