Google and Apple recently announced their collaboration to create an API for COVID-19 contact tracing apps. However, malicious hackers have started taking advantage of it by developing a ransomware app that disguises as a contract tracing app. Hackers have developed aÂ ransomware app known as CryCryptor.
The Android app encrypts important user files on a device and gives instructions on how to undo the encryption by paying the hackers.
Luckily, the security research team at ESET figured out the scheme, and here is how the ransomware app work.
How CryCryptor ransomware Works
But if youâ€™ve enabled â€œinstallation from Unknown sources on your Android, here is how the malicious app works;
- A user visits an official-looking website that has a Google Play Store link to download a contact tracing app. The user clicks the link.
- Instead of going to the Play Store, the link downloads an APK file directly to the userâ€™s device. It then asks if the user wants to install it.
- If the user has previously allowed apps from outside the Play Store, the installation will go smoothly.
- When the user launches the app they think is for contact tracing, the ransomware process begins. CryCryptor immediately starts encrypting important files on the phone.
- In every top-level folder that gets encrypted, a new text file appears labeled as â€œreadme_now.txtâ€. In that file are brief instructions on how to email the hackers to unencrypt the files.
- Unless the user pays up or decrypts the files themselves, their data is locked away for good.
Two of the websites that ESET found were hosting CryCryptor have already been shut down. However, itâ€™s only a matter of time before other hackers take the same principle behind this ransomware and bring it to other sites.
Thankfully, ESET developed a decrypting tool for CryCryptor. You can read all about thatÂ hereÂ .