Ransomware Goes Mobile – New Android Ransomware Fabricates Notes from FBI
April 2020 by Check Point
Researchers at Check Point discovered a new variant of Android malware called Black Rose Lucy. First discovered by Check Point in September 2018, Lucy is a Malware-as-a-Service dropper that originated in Russia, a threat that downloads and installs new threats with ransomware capabilities. When downloaded, the new variant encrypts files on the infected device and displays a ransom note in the browser window that claims an official message from the United States FBI.
The ransom note accuses the victim of possessing pornographic content on their device, stating that the user’s details have been uploaded to the FBI Cyber Crime Department’s Data Center, accompanied by a list of legal offenses that the user is accused of committing. To make the situation go away, the victim is instructed to pay a $500 USD “fine” via credit card, and not Bitcoin, which is the more typical manner of mobile ransomware payout.
Check Point researchers collected 80 samples of the new Black Rose Lucy variant. The samples acquired disguised themselves as harmless-looking video player applications, leveraging Android’s accessibility service to install their payload without any user interaction, creating an interesting self-protection mechanism. Lucy exploits an Achilles Heel in Android defences to slip inside Android devices, according to researchers. Lucy’s order of operations are as follows:
1. Lucy is downloaded and installed via social media and instant messenger as a video player application.
2. Lucy tricks the user to allow accessibility service by pretending to enable a bogus service, VSO - video streaming optimizer.
3. Lucy grants itself administrative privileges by exploiting the Android accessibility service which mimics a user’s screen clicks and can automate user interactions with the device
4. Lucy encrypts the files on the device, storing the encryption key in the shared preferences.
5. Lucy displays a ransom note “fine” from the FBI, demanding credit card info to pay it.
After Lucy finishes encrypting the desired files on the device, and performs all the checks to verify that the files were encrypted successfully, Lucy displays a ransom note in the browser window. The ransom note pretends to be an official message from the US FBI and accuses the victim of possessing pornographic content on his device. As a result, all content on the device is encrypted and locked. In addition, the message states that the victim’s details are now uploaded to the FBI Cyber Crime Departments Data Center, accompanied by a list of legal offenses that the victim is accused of committing, and eventually instructing the victim to pay the $500 “fine” by providing credit-card information.
Check Point Manager of Mobile Research, Aviran Hazum said: “We are seeing an evolution in mobile ransomware: it’s becoming more sophisticated and efficient. Threat actors are learning fast, drawing from their experience of past campaigns, and the impersonation of a message from the FBI is a clear scare tactic. Sooner or later, we anticipate the mobile world will experience a major destructive ransomware attack. It’s a scary but very real possibility, and we urge everyone to think twice before clicking on anything to accept or enable functions while browsing videos on social media. To stay safe, users should install a security solution on their devices and only use official app stores. And as always, they should keep their device’s OS and apps up to date at all times.”