Ransomware has long been one of the infamous malware types out there, perhaps due to the payday that it brings in. This has incentivized hackers to add such functionality to existing malware programs and this time Android ransomware is targeting unsuspecting users.
One such example is of the Black Rose Lucy malware family which was discovered in 2018 serving as a botnet and a dropper. Since then though, it has added ransomware capabilities targeting Android devices as discovered by researchers at Checkpoint.
Once Lucy infects a device, it starts by encrypting all the data on it and then displays a ransom note in the browser. The note claiming to be from the FBI scares the victim into believing that they have been found possessing pornographic material on the device which leads to a range of criminal offenses.
Furthermore, it states that their details have been sent to the FBI Cyber Crime Department’s Data Center and they should pay a sum of $500 as a fine.
A unique aspect emerging from this is that the payment is demanded by a request of credit card details rather than the usual method of receiving money via anonymity centric cryptocurrencies like Monero or Bitcoin.
Featuring 4 encrypted C2 servers as a part of its code; these can be used by the malicious program to receive commands performing a range of tasks including but not limited to:
- Making a phone call on any number specified.
- Letting the server know of all installed applications on the device.
- Opening a remote shell on the device which can let the attackers control the device remotely and also gain administrator privileges.
- Deleting the malware itself.
How Lucy manages to infiltrate a smartphone is by abusing Android’s in-built accessibility features. As the researchers explain in a blog post,
“It(Lucy) displays a message asking the user to enable SVO (Streaming Video Optimization). By clicking ‘OK’, the user grants the malware permission to use the accessibility service. Now Lucy is ready to initiate its malicious plan to encrypt the data on the victim’s device”
Thereby, posing as a legitimate video application, the malware is installed without any user action making the process seamlessly smooth.
To add to this, 80 samples related to Lucy were found to be distributed through social media & instant messaging apps. The names of these apps aren’t known as of yet.
Concluding, this is one of the few smartphone ransomware that have been seen currently in the cybersecurity world with the majority usually aimed at larger computer systems. Hence, it would be just to say that this hints towards another trend arising that would haunt the world of smartphones soon.
This, however, is not the first time that Android users have been targeted by ransomware. Last year, ransomware was found infecting devices through pornographic posts. The list of ransomware infections against Android devices is never-ending.
To protect yourself, refrain from downloading any file regardless of its format from an unreputable source on your phone and also install a good anti-malware program alongside.