{
	"id": "ea7b38a3-0493-41cc-8bdd-79fde6177346",
	"created_at": "2026-04-06T00:18:34.833181Z",
	"updated_at": "2026-04-10T03:21:32.277706Z",
	"deleted_at": null,
	"sha1_hash": "ea3ac8359794e944c0a13697bb0c3f77a56c1a59",
	"title": "New ransomware posing as COVID-19 tracing app targets Canada; ESET offers decryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1032834,
	"plain_text": "New ransomware posing as COVID-19 tracing app targets Canada;\r\nESET offers decryptor\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 18:35:35 UTC\r\nESET Research\r\nESET researchers dissect an Android app that masquerades as an official COVID-19 contact-tracing app and encrypts files\r\non the victim's device\r\n24 Jun 2020  •  , 4 min. read\r\nNew ransomware CryCryptor has been targeting Android users in Canada, distributed via two websites under the guise of an\r\nofficial COVID-19 tracing app provided by Health Canada. ESET researchers analyzed the ransomware and created a\r\ndecryption tool for the victims.\r\nCryCryptor surfaced just a few days after the Canadian government officially announced its intention to back the\r\ndevelopment of a nation-wide, voluntary tracing app called COVID Alert. The official app is due to be rolled out for testing\r\nin the province of Ontario as soon as next month.\r\nESET informed the Canadian Centre for Cyber Security about this threat as soon as it was identified.\r\nhttps://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/\r\nPage 1 of 8\n\nFigure 1. One of the malicious distribution websites; the other one has identical design and differs only in its domain,\r\ncovid19tracer[.]ca.\r\n \r\nOnce the user falls victim to CryCryptor, the ransomware encrypts the files on the device – all the most common types of\r\nfiles – but instead of locking the device, it leaves a “readme” file with the attacker’s email in every directory with encrypted\r\nfiles.\r\nFortunately, we were able to create a decryption tool for those who fall victim to this ransomware.\r\nRELATED READING: Mobile security threats amid COVID‑19 and beyond: A Q\u0026A with Lukas Stefanko\r\nAfter we spotted the tweet that brought this ransomware to our radar (the researcher who discovered it mistakenly labeled\r\nthe malware as a banking trojan), we analyzed the app. We discovered a bug of the type “Improper Export of Android\r\nComponents” that MITRE labels as CWE-926.\r\nhttps://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/\r\nPage 2 of 8\n\nDue to this bug, any app that is installed on the affected device can launch any exported service provided by the\r\nransomware. This allowed us to create the decryption tool – an app that launches the decrypting functionality built into the\r\nransomware app by its creators.\r\nEncryption/functionality\r\nAfter launch, the ransomware requests to access files on the device. After obtaining that permission, it encrypts files on\r\nexternal media with certain extensions, which are shown in Figure 2.\r\nFigure 2. File extensions to be encrypted\r\nSelected files are encrypted using AES with a randomly generated 16-character key. After CryCryptor encrypts a file, three\r\nnew files are created, and the original file is removed. The encrypted file has the file extension “.enc” appended,  and the\r\nalgorithm generates a salt unique for every encrypted file, stored with the extension “.enc.salt”; and an initialization vector,\r\n“.enc.iv”\r\nhttps://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/\r\nPage 3 of 8\n\nhttps://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/\r\nPage 4 of 8\n\nFigure 3. Files after encryption\r\nAfter all the target files are encrypted, CryCryptor displays a notification “Personal files encrypted, see readme_now.txt\".\r\nThe readme_now.txt file is placed in every directory with encrypted files.\r\nFigure 4. File encryption notification (left) and contents of the readme_now.txt file (right)\r\nDecryption\r\nThe service responsible for file decryption in CryCryptor has the encryption key stored in shared preferences, meaning it\r\ndoesn’t have to contact any C\u0026C to retrieve it. Importantly, the service is exported without any restriction in the Android\r\nManifest (security weakness CWE-926), which means it is possible to launch it externally.\r\nBased on this, we created an Android decryption app for those affected with the CryCryptor ransomware. Naturally, the\r\ndecryption app works only on this version of CryCryptor.\r\nA new ransomware family\r\nThe CryCryptor ransomware is based on open source code on GitHub. We discovered it there using a simple search based on\r\nthe app’s package name and a few strings that looked unique.\r\nThe developers of the open source ransomware, who named it CryDroid, must have known the code would be used for\r\nmalicious purposes. In an attempt to disguise the project as research, they claim they uploaded the code to the VirusTotal\r\nhttps://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/\r\nPage 5 of 8\n\nservice. While it’s unclear who uploaded the sample, it indeed appeared on VirusTotal the same day the code was published\r\non GitHub.\r\nFigure 5. The open source ransomware\r\nWe dismiss the claim that the project has research purposes – no responsible researcher would publicly release a tool that is\r\neasy to misuse for malicious purposes.\r\nWe notified GitHub about the nature of this code.\r\nESET products provide protection against the CryCryptor ransomware, detecting it as Trojan.Android/CryCryptor.A. On top\r\nof using a quality mobile security solution, we advise Android users to install apps only from reputable sources such as the\r\nGoogle Play store.\r\nTimeline:\r\nJun 11, 2020: source code published– CryDroid v1.1\r\nJun 11, 2020: code uploaded to VirusTotal\r\nJun 12, 2020: first malicious domain that distributed this sample was registered\r\nJun 18, 2020: malicious app (this Android ransomware) was compiled (based on its certificate)\r\nJun 21, 2020: second malicious domain that distributed this sample was registered\r\nJun 23, 2020: ESET informs Canadian Center for Cyber Security\r\nJun 23, 2020: the two domains stopped responding\r\nWe have prepared a video that that shows the process of encryption and decryption, along with our explanation.\r\nhttps://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/\r\nPage 6 of 8\n\nIndicators of Compromise (IoCs)\r\nPackage name Hash ESET detection name\r\ncom.crydroid 322AAB72228B1A9C179696E600C1AF335B376655 Trojan.Android/CryCryptor.A\r\nDistribution links\r\nhttps://covid19tracer[.]ca/\r\nhttps://tracershield[.]ca/\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1476\r\nDeliver Malicious App\r\nvia Other Means\r\nThe malware is downloaded from a fake website\r\nInitial\r\nAccess\r\nT1444\r\nMasquerade as\r\nLegitimate Application\r\nIt impersonates COVID-19 tracking app\r\nPersistence T1402\r\nApp Auto-Start at\r\nDevice Boot\r\nIt listens for the BOOT_COMPLETED broadcast, ensuring that\r\nthe app's functionality will be activated every time the device starts\r\nhttps://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/\r\nPage 7 of 8\n\nTactic ID Name Description\r\nImpact T1471\r\nData Encrypted for\r\nImpact\r\nEncrypts files with particular file extensions found on external\r\nmedia\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/\r\nhttps://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/"
	],
	"report_names": [
		"new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434714,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea3ac8359794e944c0a13697bb0c3f77a56c1a59.pdf",
		"text": "https://archive.orkl.eu/ea3ac8359794e944c0a13697bb0c3f77a56c1a59.txt",
		"img": "https://archive.orkl.eu/ea3ac8359794e944c0a13697bb0c3f77a56c1a59.jpg"
	}
}