June 4, 2020
Cybersecurity

​Android Ransomware Fabricates FBI Notes — Check Point

Check Point, Android, Black Rose Lucy, malware, ransomware, cybersecurity, scam, Russian

While browsing videos to watch on social media, a new variant of Russian malware tricks users into encrypting their files, then impersonates the FBI to force ransom pay, accusing the user of pornographic crimes.

Media Release:

RESEARCHERS at Check Point has discovered a new variant of Android malware called Black Rose Lucy.

First discovered by Check Point researchers in September 2018, Lucy is a Malware-as-a-Service (MaaS) dropper that originated in Russia, a threat that downloads and installs new threats with ransomware capabilities.

When downloaded, the new variant encrypts files on the infected device and displays a ransom note in the browser window that claims an official message from the United States FBI. The ransom note accuses the victim of possessing pornographic content on their device, stating that the user’s details have been uploaded to the FBI Cyber Crime Department’s Data Center, accompanied by a list of legal offenses that the user is accused of committing. To make the situation go away, the victim is instructed to pay a US$500 “fine” via credit card, and not Bitcoin, which is the more typical manner of mobile ransomware payout.

All in all, Check Point researchers collected 80 sample of the new Black Rose Lucy variant. The samples acquired disguised themselves as harmless-looking video player applications, leveraging Android’s accessibility service to install their payload without any user interaction, creating an interesting self-protection mechanism.

Check Point, Android, Black Rose Lucy, Russian, malware, ransomware, cybersecurity, scam
Lucy’s Ransom Note. (Source: Check Point)

How Lucy Works

Lucy leverages a cunning method to slip inside Android devices, giving it the title of “the Achilles Heel in Android’s defensive armor”, by Check Point researchers. Lucy’s order of operations are as follows:

  • Lucy is downloaded and installed via social media and instant messenger as a video player application.
  • Lucy tricks the user to allow accessibility service by pretending to enable a bogus service, VSO – video streaming optimizer.
  • Lucy grants itself administrative privileges by using accessibility service.
  • Lucy encrypts the files on the device, storing the encryption key in the shared preferences.
  • Lucy displays a ransom note “fine” from the FBI, demanding credit card info to pay it.

After Lucy finishes encrypting the desired files on the device, and performs all the checks to verify that the files were encrypted successfully, Lucy displays a ransom note in the browser window.

The ransom note pretends to be an official message from the US Department of Justice Federal Bureau of Investigations (FBI) and accuses the victim of possessing pornographic content on his device. As a result, all content on the device is encrypted and locked.

In addition, the message states that the victim’s details are now uploaded to the FBI Cyber Crime Departments Data Center, accompanied by a list of legal offenses that the victim is accused of committing. Eventually, the victim is instructed to pay a US$500 “fine” by providing credit-card information, over the more common method of using Bitcoin.

How to Stay Protected

Aviran Hazum, manager, Mobile Research, Check Point Software Technologies, says, “To stay safe, I’d install a security solution and only use official markets. And as always, keep your device’s OS and apps up to date at all times.” (Check Point)

Don't be shy, comments are welcome! Thank you.

This site uses Akismet to reduce spam. Learn how your comment data is processed.