Google and Apple recently announced that they would be working together to create an API for COVID-19 contact tracing apps in the future, but malicious hackers have taken advantage of it by creating a ransomware app that disguises as a contract tracing app.
Hackers have developed a ransomware app known as CryCryptor. The Android app encrypts important user files on a device and gives instructions on how to undo the encryption by paying the hackers.
Luckily, the security research team at ESET figured out the scheme, and here is how the ransomware app work.
How does it work?
For CryCryptor to work properly, the hackers are depending on one major thing: the user allowing the installation of apps from outside the Google Play Store. If you have never done this before or are certain that your phone is set to never install outside applications, you already are safe from this particular type of ransomware.
But if you’ve enabled “installation from Unknown sources on your Android, here is how the malicious app works;
- A user visits an official-looking website that has a Google Play Store link to download a contact tracing app. The user clicks the link.
- Instead of going to the Play Store, the link downloads an APK file directly to the user’s device. It then asks if the user wants to install it.
- If the user has previously allowed apps from outside the Play Store, the installation will go smoothly.
- When the user launches the app they think is for contact tracing, the ransomware process begins. CryCryptor immediately starts encrypting important files on the phone.
- In every top-level folder that gets encrypted, a new text file appears labeled as “readme_now.txt”. In that file are brief instructions on how to email the hackers to unencrypt the files.
- Unless the user pays up or decrypts the files themselves, their data is locked away for good.
Two of the websites that ESET found were hosting CryCryptor have already been shut down. However, it’s only a matter of time before other hackers take the same principle behind this ransomware and bring it to other sites.
Thankfully, ESET developed a decrypting tool for CryCryptor. You can read all about that here