New Android ransomware masquerades as FBI message
Researchers at Check Point have discovered a new variant of Android malware called Black Rose Lucy that, when downloaded, encrypts files on the infected device and displays a ransom note in the browser claiming to be an official message from the FBI.
First discovered by Check Point in September 2018, Lucy is a Malware-as-a-Service dropper that originated in Russia and downloads and installs new threats with ransomware capabilities.
In this new variant the ransom note accuses the victim of having pornographic content on their device, claiming that the user's details have been uploaded to the FBI Cyber Crime Department's data center, accompanied by a list of offenses that the user is accused of committing. To make the situation go away, the victim is instructed to pay a $500 'fine' via credit card -- interestingly not Bitcoin, which is the more typical method of mobile ransomware payout.
Check Point researchers have collected 80 samples of the new Black Rose Lucy variant. The samples came disguised as harmless-looking video player applications, leveraging Android's accessibility service to install their payload without any user interaction, creating an interesting self-protection mechanism. Lucy exploits an Achilles heel in Android defences to slip inside devices, according to researchers.
Once installed Lucy tricks the user into allowing accessibility by pretending to enable a bogus service called VSO (video streaming optimizer). Lucy grants itself administrative privileges by exploiting the Android accessibility service which mimics a user’s screen clicks and can automate user interactions with the device. This allows it to encrypt files before displaying the ransom demand.
"We are seeing an evolution in mobile ransomware: it's becoming more sophisticated and efficient," says Check Point's manager of mobile research, Aviran Hazum. "Threat actors are learning fast, drawing from their experience of past campaigns, and the impersonation of a message from the FBI is a clear scare tactic. Sooner or later, we anticipate the mobile world will experience a major destructive ransomware attack. It's a scary but very real possibility, and we urge everyone to think twice before clicking on anything to accept or enable functions while browsing videos on social media. To stay safe, users should install a security solution on their devices and only use official app stores. And as always, they should keep their device’s OS and apps up to date at all times."
You can find out more on the Check Point site.