ESET investigators analyze an Android app that masquerades as an official COVID-19 contact tracking app and encrypts files on the victim’s device
The new CryCryptor ransomware has been targeted at Android users in Canada, distributed across two websites under the guise of an official COVID-19 tracking app provided by Health Canada. ESET researchers analyzed the ransomware and created a decryption tool for victims.
CryCryptor appeared just days after the Canadian government officially announced its intention to support the development of a nationwide voluntary tracking app called COVID Alert. The official app will be released for testing in the province of Ontario next month.
ESET informed the Canadian Cyber Security Center of this threat as soon as it was identified.
Figure 1. One of the malicious distribution websites; the other has an identical design and only differs in its domain, covid19tracer[.]California.
Once the user is a victim of CryCryptor, the ransomware encrypts the files on the device, all the most common types of files, but instead of blocking the device, it leaves a “readme” file with the attacker’s email in each directory with encrypted files.
Fortunately, we were able to create a decryption tool for those who are victims of this ransomware.
After detecting the tweet that brought this ransomware to our radar (the researcher who discovered it mistakenly labeled the malware as a banking Trojan), we analyzed the application. We discovered an error of type “Incorrect export of Android components” that MITER labels as CWE-926.
Due to this error, any application that is installed on the affected device can start any exported service provided by the ransomware. This allowed us to create the decryption tool, an application that launches the decryption functionality built into the ransomware application by its creators.
Encryption / functionality
After launch, the ransomware requests to access the files on the device. After obtaining that permission, encrypt files on external media with certain extensions, shown in Figure 2.
Figure 2. File extensions to encrypt
The selected files are encrypted with AES with a randomly generated 16-character key. After CryCryptor encrypts a file, three new files are created and the original file is deleted. The encrypted file has the file extension “.Enc” added, and the algorithm generates a unique salt for each encrypted file, stored with the extension “.Enc.salt”; and an initialization vector, “.Enc.iv”
Figure 3. Files after encryption
After all destination files are encrypted, CryCryptor displays a “Personal encrypted files, see readme_now.txt” notification. the readme_now.txt The file is placed in each directory with encrypted files.
Figure 4. File encryption notification (left) and content of readme_now.txt file (right)
Decoded
The service responsible for decrypting files in CryCryptor has the encryption key stored in the shared preferences, which means you don’t have to contact any C&C to retrieve it. It is important to note that the service is exported without restrictions in the Android Manifesto (security weakness CWE-926), which means that it can be started externally.
Based on this, we created an Android decryption application for those affected with CryCryptor ransomware. Naturally, the decryption application only works in this version of CryCryptor.
A new family of ransomware
CryCryptor ransomware is based on open source on GitHub. We discovered it there using a simple search based on the app package name and some strings that seemed unique.
The developers of the open source ransomware, who called it CryDroid, must have known that the code would be used for malicious purposes. In an attempt to disguise the project as research, they claim they uploaded the code to the VirusTotal service. While it’s unclear who uploaded the sample, it actually appeared on VirusTotal the same day the code was posted on GitHub.
Figure 5. Open source ransomware
We dismiss the claim that the project is for research purposes – no responsible researcher will publicly release a tool that is easy to use for malicious purposes.
We notify GitHub about the nature of this code.
ESET products provide protection against CryCryptor ransomware, by detecting it as Trojan.Android/CryCryptor.A. In addition to using a quality mobile security solution, we advise Android users to install applications only from trusted sources such as the Google Play store.
Chronology:
- June 11, 2020 – Source code released – CryDroid v1.1
- June 11, 2020: code uploaded to VirusTotal
- June 12, 2020: The first malicious domain that distributed this sample was registered
- June 18, 2020 – A malicious app (this Android ransomware) was compiled (based on its certificate)
- June 21, 2020: The second malicious domain that distributed this sample was registered
- June 23, 2020: ESET reports to the Canadian Center for Cyber Security
- June 23, 2020 – Both domains stopped responding
We have prepared a video showing the encryption and decryption process, along with our explanation.
Indicators of commitment (IoC)
| Package name | Hash | ESET detection name |
|---|---|---|
| com.crydroid | 322AAB72228B1A9C179696E600C1AF335B376655 | Trojan.Android/CryCryptor.A |
Distribution links
https: // covid19tracer[.]California/
https: // tracershield[.]California/
MITER ATT and CK techniques
| Tactic | I.D | Name | Description |
|---|---|---|---|
| Initial access | T1476 | Deliver malicious application through other means | Malware is downloaded from the fake website |
| Initial access | T1444 | Disguise yourself as a legitimate app | Supplant COVID-19 Tracking Application |
| Persistence | T1402 | Automatic start of the application when the device starts | Listen to the BOOT_COMPLETED stream, ensuring that the app’s functionality will be activated every time the device starts. |
| Impact | T1471 | Encrypted data for impact | Encrypts files with particular file extensions found on external media |
Lukas Stefanko
