Cybercriminals behind the Android-based dropper malware Black Rose Lucy has changed its scamming tactics from stealing information to ransomware, but a hint of sextortion.
Operated by the Lucy Gang, the malware encrypts Android phones and sends in a message supposedly sent by the FBI. The ransom note claims that the user has visited forbidden adult sites and that a snapshot of their face was uploaded to the agency's database. Pay $500, and the problem goes away.
The Russian threat actor was first identified in 2018 by Check Point. It first appeared in the form of a malware-as-a-service that could collect data of its victims, listen to a remote command-and-control server, and install additional malware.
With its most recent ransomware attack, researchers said they had discovered more than 80 Black Rose Lucy malware samples. The malware is distributed via social media, where Android users are made to believe they should download a video player.
"We found that the samples we acquired disguised themselves as a harmless-looking video player application, primarily leveraging Android's accessibility service to install their payload without any user interaction and create an interesting self-protection mechanism," wrote co-authors of the Check Point report Ohad Mana, Aviran Hazum, Bogdan Melnykov, and Liav Kuperman.
To entice people to download the malicious video player, Android users will receive a notification asking them to download the player to "continue watching the video" on their devices. By clicking "OK," the attackers will have full permission to use the Android Accessibility Service, allowing them it install the malware payload without any user interaction.
It should be noted that the FBI doesn't encrypt devices used by the general public for the purpose of extortion. The agency doesn't demand fines over the internet as well. However, if the victim is coerced into paying, they do so by providing their credit card information, rather than using bitcoin as preferred by many other forms of ransomware.
Sextortion scams aren't new at all. In 2019, attackers netted over $300,000 worth of Bitcoin by blackmailing users over email. Black Rose Lucy has evolved into something much scarier, though, since it actually takes your phone as hostage. According to the researchers, the use of the FBI angle is "a clear scare tactic." So now, we have a frightened user with a locked device.
Experts recommend that apps should only be downloaded from trusted sources and never from social media or questionable emails. For now, this is the only to avoid falling victim to Black Rose Lucy.
