Details of a new COVID-themed ransomware attack on Android users in Canada, known as CryCryptor, have been revealed by ESET researchers. In the attack, people were lured into downloading a ransomware app disguised as an official COVID-19 tracing tool through two COVID-themed websites. This came shortly after the Canadian government announced its support for the creation of a nation-wide, voluntary tracing app to be called COVID Alert.
The websites have now been taken down and ESET researchers wrote a decryption tool for its victims, based on a bug in the malicious app. However, the discovery highlights the heightened susceptibility to attacks of this kind that are linked to the COVID-19 pandemic, with a sense of urgency and fear making people more likely to click on dangerous links. Lukáš Štefanko, malware analyst at ESET, said: “Clearly, the operation using CryCryptor was designed to piggyback on the official COVID-19 tracing app.”
ESET began its investigation after responding to a tweet announcing a discovery of what was thought to be Android banking malware. Štefanko explained: “CryCryptor contains a bug in its code that allows any app installed on the affected device to launch any service provided by the buggy app. So, we created an app that launches the decrypting functionality built into CryCryptor.”
Whilst this particular version of CryCryptor is no longer a threat, ESET emphasized that Android users must remain vigilant of similar forms of attacks in the coming weeks. “Besides using a quality mobile security solution, we advise Android users to install apps only from reputable sources such as the Google Play store,” said Štefanko.
A number of countries around the world have sought to use contact tracing apps to help them continue to contain the virus as lockdown measures are eased. However, this has raised a number of concerns over the security and privacy risks that are brought about by the data that is recorded.