‘Black Rose Lucy’ is Back, Now Pushing Ransomware

Researchers say incidents of mobile malware are becoming more common and growing more sophisticated.

Cybercriminals behind the Android-based dropper malware Black Rose Lucy have shifted attacks from info-stealing to ransomware – with a sextortion twist.

The malware family, operated by the Lucy Gang, encrypts targeted Android devices and delivers a spoofed FBI message. The ransom note claims the phone’s user has visited “forbidden pornographic sites” on their phone and that a “snapshot” of their face was uploaded to the agency. Pay $500 and the problem goes away, according to Check Point security researchers.

The Russian-speaking threat actor was first identified by Check Point in 2018. At the time, the Lucy Gang promoted its offerings as a malware-as-a-service that could collect victims’ device data, listen to a remote command-and-control (C2) server and install extra malware sent from a C2 server.

With its most recent ransomware campaign, researchers said they have discovered more than 80 malware samples tied to Lucy, along with identifying one new active Lucy variant in the wild. Distribution of the malware is social based, researchers said, where targets are enticed to download a video player booby-trapped with the Lucy dropper.

“We found that the samples we acquired disguised themselves as a harmless-looking video player application, primarily leveraging Android’s accessibility service to install their payload without any user interaction and create an interesting self-protection mechanism,” wrote co-authors of the Check Point report Ohad Mana, Aviran Hazum, Bogdan Melnykov and Liav Kuperman.

To push downloads of its malicious video player, victims receive a message on malware distribution sites that reads “to continue watching the video on your phone, you must enable Streaming Video Optimization (SVO), select it in the menu and turn it on!’

By clicking “OK”, the user grants the malware permission to use the Android Accessibility Service to install the malware payload without any user interaction.

“The malware starts by registering a receiver called ‘uyqtecppxr’ to run BOOT_COMPLETE and QUICKBOOT_POWERON to check if the country code of the device is from a former Soviet state. Lucy then tries to trick the victim into enabling the Accessibility Service by initiating an Alert Dialog that asks the user to take action,” researchers explain.

“Inside the MainActivity module, the application triggers the malicious service, which then registers a BroadcastReceiver that is called by the command action.SCREEN_ON and then calls itself. This is used to acquire the ‘WakeLock’ service, which keeps the device’s screen on, and ‘WifiLock’ service, which keeps the WIFI on,” they said.

The Android Accessibility Services was designed by Google to allow disabled users to mimic a user’s screen clicks and can automate user interactions with the device. “With Lucy, [the Android Accessibility Service] is the Achilles Heel in Android’s defensive armor,” researchers said.

Another update to Lucy’s attack strategy is the Black Rose Lucy malware fortifies its C2 servers. According to Check Point, threat actors now use a domain and not an IP address. “Although the server can be taken down, it can easily be resolved into a new IP address, which makes it much harder to neutralize the malware,” researchers noted.

The encryption process first includes the malware attempting to fetch the victim’s device directories. “Initially [Lucy] tries to fetch an array of all the device’s directories. In the case of failure, it tries to fetch the directory /storage. As last resort, it tries to fetch the /sdcard directory,” researchers explain.

Researchers said, once the malware has finished encrypting the device files (with the .Lucy extension) and performed checks to verify the files were encrypted, it displays a ransom note in the browser window (see below to read the entire fake FBI ransom message).

From Check Point’s analysis of the malware, it believes, “When the decryption process is complete, the malware sends logs to inform that all of the files were decrypted successfully. The malware then changes the current command to ‘Delete’ and proceeds to delete itself.”

Researchers say incidents of mobile malware are becoming more common and growing more sophisticated. Black Rose Lucy, they said, is an example of that and represents “an important milestone” in the evolution of mobile malware.

“Sooner or later, the mobile world will experience a major destructive ransomware attack,” researchers said.

black rose Lucy ransomware

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles