COVID-19 contact tracing ransomware scheme exposed, be careful out there - Android

Ransomware apps for Android are already out in the wild disguised as contact tracing apps for the COVID-19 pandemic.

---

When Google and Apple announced they would be working together to create an API for future COVID-19 contact tracing apps, it was big news. Predictably, malicious hackers are already capitalizing on the news by creating ransomware apps that pose as a contact tracing app.

One such example happened just recently in Canada. On the same day that Canadian Prime Minister Justin Trudeau announced a voluntary nationwide contact tracing app, hackers compiled a ransomware app known as CryCryptor. The Android app encrypts important user files on a device and gives instructions on how to undo the encryption by paying the hackers.

Related: 10 best security apps for Android that aren’t anti-virus apps

Luckily, the security research team at ESET figured out the scheme. While CryCryptor may not be too prevalent a threat at the moment, that doesn’t mean ransomware of this type won’t be a big problem. You should read on to learn about how this was done so you can avoid it happening to you.

CryCryptor ransomware: How does it work?

For CryCryptor to work properly, the hackers are depending on one major thing: the user allowing the installation of apps from outside the Google Play Store. If you have never done this before or are certain that your phone is set to never install outside applications, you already are safe from this particular type of ransomware.

However, for people who don’t have their phone locked down in this manner, here’s how CryCryptor works:

1. A user visits an official-looking website that has a Google Play Store link to download a contact tracing app. The user clicks the link.
2. Instead of going to the Play Store, the link downloads an APK file directly to the user’s device. It then asks if the user wants to install it.
3. If the user has previously allowed apps from outside the Play Store, the installation will go smoothly.
4. When the user launches the app they think is for contact tracing, the ransomware process begins. CryCryptor immediately starts encrypting important files on the phone.
5. In every top-level folder that gets encrypted, a new text file appears labeled as “readme_now.txt”. In that file are brief instructions on how to email the hackers to unencrypt the files.
6. Unless the user pays up or decrypts the files themselves, their data is locked away for good.

Two of the websites that ESET found were hosting CryCryptor have already been shut down. However, it’s only a matter of time before other hackers take the same principle behind this ransomware and bring it to other sites.

Thankfully, ESET developed a decrypting tool for CryCryptor. You can read all about that here.

The golden rule, though, is to never download anything from outside the Play Store unless you are 100% certain it is from a legitimate source. It’s not worth the risk!