June 25, 2020

Researchers discover ransomware masquerading as contact tracing app

By Ellen Daniel

Researchers have discovered that cybercriminals are exploiting the release of contact tracing apps as a way of distributing malware.

According to ESET, Android users in Canada have been targeted by CryCryptor ransomware, masquerading as Canada’s official contact tracing app.

The rollout of the voluntary app, named COVID Alert, was announced by Canadian Prime Minister Justin Trudeau, and it will be available to download in the province of Ontario in the next few weeks.

ESET researchers were alerted to the fact that two websites identical to the official COVID Alert websites were actually distributing ransomware that requests to access files on a users’ device before encrypting files, leaving them unreadable.

CryCryptor displays a notification “Personal files encrypted, see readme_now.txt”, with victims directed to an email address to pay a ransom.

ESET informed the Canadian Centre for Cyber Security about this threat as soon as it was identified and was able to create a decryption tool for the malware.

“Cybercriminals were quick to take advantage of the Covid-19 pandemic. We’ve seen no shortage of phishing scams and malware distributed under the guise of coronavirus-related apps, documents, and services,” said Paul Bischoff, Privacy Advocate at Comparitech.com.

“Many of these schemes prey on people’s fear of infection and desire to help combat the spread of the virus. Cybercriminals lure victims in with false treatments, news, products, services, and now contact tracing apps. Although Google Play is not perfect when it comes to protecting users from malware, it’s worth noting that this app was never approved to be on Google Play, so would require users to allow third-party apps from unknown sources to be installed on their devices. Android users should be especially sceptical of apps that aren’t available from Google Play.”

Ransomware follows growing concerns over abuse of contact tracing apps

Contact tracing apps have proved controversial as despite their benefits, many have voiced concerns over privacy and security. With app users required to enter personal health information, this could have severe consequences in the wrong hands.

According to a survey by Anomali, 43% of UK respondents were concerned that contact tracing apps could lead to an increase in phishing or smishing attacks.

Erich Kron, Security Awareness Advocate at KnowBe4.com said:

“This is yet another example of attackers using the current Covid-19 situation as an attack vector on people. Given the emotional nature surrounding the pandemic and the latest spikes in new cases, the bad actors have no problem cashing in on the chaos.

“Hearing about a Covid-19 tracker through official government channels, people are more likely to look for and install an app, especially when it is made to look official. Once this trust is established, people are more likely to dismiss any suspicions when the tracking app requests access to files on their device and approve the request. This opened the door for the attack to be successful.

“It is interesting to see that this attack included file type extensions such as .jpg, .png and .avi along with document types as well. By encrypting photos and videos on the external storage of the phone as opposed to simple documents, the attackers are making it personal and attempting to improve their odds of payment. People tend to keep a lot of personal photos on their devices, which makes them a prime target.”

Read more: Most Brits believe contact-tracing data will be used for non-Covid purposes.