Originally discovered in 2018, the Android malware known as Black Rose Lucy, or simply Lucy, has recently expanded its capabilities. When initially spotted it was being used as a malware as a service and botnet dropper targeting Android, but now it’s able to encrypt files and carry out complete device takeover. If downloaded, the ransomware will encrypt files and then display a ransom note that falsely states the FBI knows that there are illegal materials on the device and demands a $500 fee. In order to pay the fee users are asked for their credit card information, which would also be stolen in the process. More than 80 samples known to be linked to the Lucy variant were analyzed by Check Point and they found that it was being passed around on social media and IM apps. When it first infects a victim device, it will ask for “Streaming Video Optimization” to be enabled, which actually gives the ransomware permission to access accessibility services. Once Lucy has administrator privileges, it can carry out a number of tasks that are requested by the Command and Control server (C&C) such as making phone calls, listing the device’s directories and installed apps, opening a remote shell on the device, displaying a message that payment was declined, and deleting itself.