Android malware impersonates FBI to extort a ransom

Read time 1min 50sec

Check Point’s researchers have uncovered a new variant of Russian Android malware dubbed Black Rose Lucy that downloads and installs malware that has ransomware capabilities.

In total, Check Point collected 80 samples of the new Black Rose Lucy variant. The samples disguised themselves as harmless-looking video player applications, leveraging Android’s accessibility service to install their payload without any user interaction, creating an interesting self-protection mechanism, the security company reports.

Black Rose Lucy is downloaded and installed via social media and instant messenger as a video player application. It then tricks the user to allow accessibility service by pretending to enable a bogus service, VSO - video streaming optimiser. Following this, it grants itself administrative privileges by using accessibility service, and encrypts the files on the device, storing the encryption key in the shared preferences.

The malware then sends the user a ransom note appearing to be from the FBI, stating that they are guilty of pornogaphic crimes. It then tells the user that his or her details are now uploaded to the FBI Cyber Crime Departments Data Center, and gives them a list of legal offenses that they are supposedly accused of committing. Eventually, the target is instructed to pay a US$500 “fine” by providing credit-card information.

“We are seeing an evolution in mobile ransomware," says Aviran Hazum, Check Point’s manager of Mobile Research. "Mobile malware is more sophisticated, more efficient. Threat actors are learning fast, drawing from their experience of past campaigns.”

He says the FBI mimic is a clear scare tactic. ”Sooner or later, we anticipate the mobile world will experience a major destructive ransomware attack. It’s a scary but very real possibility. We urge everyone to think twice before accepting or enabling anything while browsing videos on social media.”

To protect against this scourge, Hazum advises users to install a security solution,  only use official markets to get apps, and keep device OS and apps up to date at all times.

Login with