Black Rose Lucy ransomware doesn’t ask for digital currency payments

Getting your Trinity Audio player ready...

A new variant of the Black Rose Lucy malware has been discovered by security researchers, targeting Android devices. The malware encrypts its victim’s data and then displays a ransom note in the form of a fine for allegedly watching pornographic content. However, unlike most other malware, it doesn’t ask for the payment in digital currencies.

Black Rose Lucy was first discovered in September 2018 by security researchers from Israeli cybersecurity firm Check Point. It’s one in a growing pool of malware that now target mobile devices, usually passed on through social media or instant messaging apps. The Malware-as-a-Service (MaaS) botnet is back, and this time, it comes with new capabilities.

In their report, the researchers revealed that the malware now encrypts data and displays a ransom note that claims to be from the FBI. The ‘FBI’ accuses the victim of watching pornographic content, and list a number of legal offenses they have committed—but they can make it all go away for $500. The criminals, however, don’t want the ransom paid in digital currencies, instead choosing credit card payments.

Android devices require manual configuration to allow an application to have administrator privileges. Lucy overcomes this by exploiting the Android accessibility service which is used to automate certain services. Posing as a video application, it displays a pop-up message asking the user to enable ‘Streaming Video Optimization’. By clicking ‘OK’, the user gives the malware administrator rights after which encryption of data takes place.

The malware has also now changed tact, fortifying its command and control servers. Unlike with previous versions, the latest strain’s C&C is a domain and not an IP address. This ensures that if authorities take down the server, the hackers can easily move it into a new IP address and continue with their attacks.

Once the victim pays the ransom, the malware decrypts the files and then goes on to delete itself.

Threats targeting mobile devices are quickly evolving, becoming more efficient and sophisticated. Aviran Hazum, the mobile research manager at Check Point believes that they are learning from what has worked in the past and refining their tactics with time. This, however, is just the beginning, with the cybersecurity expert expecting things to get worse in the future.

He stated, “Sooner or later, we anticipate the mobile world will experience a major destructive ransomware attack. It’s a scary but very real possibility, and we urge everyone to think twice before clicking on anything to accept or enable functions while browsing videos on social media. To stay safe, users should install a security solution on their devices and only use official app stores. And, as always, they should keep their device’s OS and apps up to date at all times.”