Originally discovered in 2018, the Android malware known as Black Rose Lucy, or simply Lucy, has recently expanded its capabilities. When initially spotted it was being used as a malware as a service and botnet dropper targeting Android, but now it’s able to encrypt files and carry out complete device takeover. If downloaded, the ransomware will encrypt files and then display a ransom note that falsely states the FBI knows that there are illegal materials on the device and demands a $500 fee. In order to pay the fee users are asked for their credit card information, which would also be stolen in the process. More than 80 samples known to be linked to the Lucy variant were analyzed by Check Point and they found that it was being passed around on social media and IM apps. When it first infects a victim device, it will ask for “Streaming Video Optimization” to be enabled, which actually gives the ransomware permission to access accessibility services. Once Lucy has administrator privileges, it can carry out a number of tasks that are requested by the Command and Control server (C&C) such as making phone calls, listing the device’s directories and installed apps, opening a remote shell on the device, displaying a message that payment was declined, and deleting itself.
Mobile malware frequently targets Android devices because it is easy for device owners to download Android Package (APK) files from untrustworthy sources and install apps outside of the Google Play store. Several antivirus apps are available for Android devices that can detect known mobile malware. Android device users are advised to stay informed about new campaigns and install security patches when available. It’s also suggested that users do not download apps from unknown sources, including links received in email or text messages. Backing up data regularly can also help in the case that files are extracted from the device and aren’t able to be accessed any longer.