Attackers are impersonating the Canadian government’s COVID-19 contact tracing app which is yet to be released for public.
Governments around the world have been taking measures to combat the Coronavirus. One tactic involved is the use of contact tracing apps to help track down individuals who may have been in contact with a victim of the virus, therefore being at risk themselves.
One such country happens to be Canada who recently announced the release of an app named “COVID Alert” which will be available to Canadians countrywide in just over a month’s time.
However, attackers haven’t waited and have already started an impersonation campaign by releasing a fake Android app that claims to be from Health Canada but in actuality is a devious piece of malware leading to ransomware infection.
This reminds us of a recent report in which hackers were caught impersonating fake government-issued COVID-19 contact tracing apps to spread spyware.
As discovered by researchers from ESET, the attackers were offering the app’s APK through two domain names, namely tracershield[.]ca and covid19tracer[.]ca, both of which are not active now.
The campaign works in such a way that once the user installs the application, it leads to ransomware named CryCryptor being installed on their devices. The malware then requests permissions to access files on the device after which it subsequently starts encrypting the data involving different file extensions.
These files are encrypted using AES & a 16 character key which is generated randomly. Furthermore, the original file is deleted and 3 other files are created by the malware, all appended with the “.enc” extension.
To brief a bit more on this, the researchers have stated that additionally alongside “the algorithm generates a salt unique for every encrypted file, stored with the extension ‘.enc.salt’; and an initialization vector, ‘.enc.iv'” as shown in the photo below.
Once this process is done, the user is notified of this “good news” by the attackers through a notification that states “Personal files encrypted, see readme_now.txt”. The user is given instructions on what to do next within the file as shown below.
As for who’s behind this all, the source code of the ransomware has been found on Github named CryDroid claiming to be a research project but we all know – that’s not the truth. As a result, these developments have been reported to Github. ESET states in its blog post that,
We dismiss the claim that the project has research purposes – no responsible researcher would publicly release a tool that is easy to misuse for malicious purposes.
To conclude, currently, ESET has managed to create a decryption app for this malware helping infected users to disinfect their devices.
For the future, it is expected that Canadian authorities take a leading role in educating their citizens about the status of the app so they do not fall prey to such scams.
Users are again advised to avoid making any downloads from any third-party app stores and even carefully evaluating apps within the Google Play Store before downloading them. Also, install reliable anti-virus software and scan your device regularly.