Advertisement

Google and Apple recently announced their collaboration to create an API for COVID-19 contact tracing apps. However, malicious hackers have started taking advantage of it by developing a ransomware app that disguises as a contract tracing app. Hackers have developed a ransomware app known as CryCryptor.

The Android app encrypts important user files on a device and gives instructions on how to undo the encryption by paying the hackers.

Ransomeware

Luckily, the security research team at ESET figured out the scheme, and here is how the ransomware app work.

How CryCryptor ransomware Works

For CryCryptor to work properly, the hackers are depending on one major thing: the user allowing the installation of apps from outside the Google Play Store. If you have never done this before or are certain that your phone is set to never install outside applications, you already are safe from this particular type of ransomware.

 

But if you’ve enabled “installation from Unknown sources on your Android, here is how the malicious app works;

Advertisement
  1. A user visits an official-looking website that has a Google Play Store link to download a contact tracing app. The user clicks the link.
  2. Instead of going to the Play Store, the link downloads an APK file directly to the user’s device. It then asks if the user wants to install it.
  3. If the user has previously allowed apps from outside the Play Store, the installation will go smoothly.
  4. When the user launches the app they think is for contact tracing, the ransomware process begins. CryCryptor immediately starts encrypting important files on the phone.
  5. In every top-level folder that gets encrypted, a new text file appears labeled as “readme_now.txt”. In that file are brief instructions on how to email the hackers to unencrypt the files.
  6. Unless the user pays up or decrypts the files themselves, their data is locked away for good.
ALSO READ:  Jumia Exits Business in Tanzania Days After Closing Operations in Cameroon

Two of the websites that ESET found were hosting CryCryptor have already been shut down. However, it’s only a matter of time before other hackers take the same principle behind this ransomware and bring it to other sites.

Thankfully, ESET developed a decrypting tool for CryCryptor. You can read all about that here .

Source, Via

Advertisment

LEAVE A REPLY

Please enter your comment!
Please enter your name here