Black Rose Lucy Malware Returns As Sneaky Ransomware Aimed At Android Devices

lucy ransomware

Ransomware is a global problem that can strike individual, organizations, and even health institutions to disastrous results. It demands that the user send money, typically in the form of cryptocurrency to the attackers to have their devices and files unlocked. An old ransomware threat called Black Rose Lucy that was initially discovered in September 2018 is now making a resurgence.

Black Rose Lucy is a malware-as-a-service botnet for Android devices where it can take control of the victim's devices to make changes and install new malicious applications. When the Lucy malware is downloaded, it encrypts files on the infected device and displays a ransom note in the browser window claiming to be an official message from the FBI.

The ransom note accuses the victim of possessing pornographic images on the device and states that the user's details have been uploaded to the FBI Cyber Crime Department's Data Center. The warning message also includes a list of offenses the user is accused of committing. The ransom demand instructs the user to pay a $500 fine. Interestingly, rather than trying to get the user to pay using the more common cryptocurrency, Lucy asks the victim to provide credit card information.

Check Point researchers say that they have discovered more than 80 samples distributed mainly via social media links, and IM messages associated with the new and active Lucy variant. Android has protections that require users to carry out manual configuration to enable an application to have device administrator privileges. However, the Android accessibility service can automate user interactions with the device and could be used by malware to get around those security restrictions. Lucy specifically uses a sneaky method of getting inside the Android device to block defense mechanisms.

lucy back malware popup

Lucy displays a message that asks the user to enable SVO or Streaming Video Optimization. When the user clicks OK, it's granting the malware permission to use the accessibility service. That permission allows Black Rose Lucy to begin its attack on the user device. The researchers say that samples of Lucy they acquired were disguising themselves as seemingly harmless video player applications. 

Ransomware can have real-world implications. In the healthcare industry, researchers linked a rise in heart attack fatalities to ransomware infections of hospital computer systems.