A new ransomware called CryCryptor is targeting Canadian Android users. It is distributed via multiple websites that pose as portals for a government-backed COVID-19 tracing app.
According to research published by ESET on June 24, CryCryptor appeared shortly after Canada's government announced a COVID-19 tracing app that utilizes voluntary information submitted by citizens.
Once the victim installs the fake app, the ransomware encrypts all files, leaving a "readme" note with the attacker's email instead of locking the device. For this particular attack, ransom instructions appear to only be distributed via email.
An open source ransomware
The ransomware’s code is based on an open source project which is available through GitHub. Experts dismiss the claim that this ransomware "project" has research purposes:
"The developers of the open source ransomware, who named it CryDroid, must have known the code would be used for malicious purposes. In an attempt to disguise the project as research, they claim they uploaded the code to the VirusTotal service. While it's unclear who uploaded the sample, it indeed appeared on VirusTotal the same day the code was published on GitHub."
ESET analysts have recently created an Android decryption app for victims of CryCryptor. They clarify that it only works with the current version.
On April 28, Cointelegraph reported that cybercriminals have been posing as the FBI in an effort to defraud Android users.
Earlier this year, a study published by the Colombian Chamber of Informatics and Telecommunications revealed that in 2019, 89% of malware on Android in the country included code for crypto mining.