Lucy malware encrypts android devices and demands for $500 as ransom

If you had seen the movie ‘Lucy’ you would know how powerful she was, and that is exactly what the Russian made malware is capable of, sneaky, powerful, troublesome, and self destructible.

Android targeting malicious actors have now scaled up their malware-as-a-service (MaaS) business to encrypt files and enhance the ransomware operations. This hacking group is called the ‘Lucy’ and are Russians who introduced themselves using the Black Rose Lucy service, offering malware and botnet launching protocols as a service for Android devices.

The update on their MaaS will now allow the actors to encrypt the files in the infected devices and ask for a ransom through browsers. They have customized the message to be as of FBI’s and that the victims have been identified of storing adult content on their android devices. The actors are clouting on the fear a victim develops when they see a message from the legal entities instead of a hacker, and the picture of them being arrested or penalized for storing adult content and visiting adult websites, will lure them to make the payment. Additionally, the actors had also mentioned that the victim’s face has also been captured and is now the FBI cyber crime data base. If the victim is not paying the ransom in three days, the ransom is tripled.

Hackers are used to prefer bitcoins for the ransom; however, in the case of Lucy gang, they had requested for $500 as the initial payment.

Security researchers from Check Point had discovered the Black Rose Lucy Malware variants in September 2018, now they had identified around 80 different samples is distributed in the wild by the actors.

Tatyana Shishkova, an android security researcher from Kaspersky, have identified one of these sample in February 2020, she also had tweeted the four IP addresses used for C&C server.

As per bleeping computer’s discussion with the Check Point manager of mobile research, the malware is right now actively distributed in Soviet states only. The actors check for the country code of the device and then the malware is initiated. Once activated, Lucy will lure the users to activate their Accessibility Service in their android device using an alert that pops up requesting the user to enable the video streaming optimizations. 

“Inside the MainActivity module, the application triggers the malicious service, which then registers a BroadcastReceiver that is called by the command action.SCREEN_ON and then calls itself. This is used to acquire the ‘WakeLock’ service, which keeps the device’s screen on, and ‘WifiLock’ service, which keeps the WIFI on” – Check Point

Once Lucy is inside the device, it begins its encryption procedures by retrieving all the directories or /storage or /sdcard, thus moving to next potential storage space based on the failures. After successful identification of data, Lucy begins the encryption and also verifies the same after completion, thus obtaining successful encryption of all the file types without discrimination. Furthermore, after achieving the encryption the malware stores the decryption key in the device itself, and later if the ransom is paid, it sends the logs to the actors post decryption and deletes itself from the device.

As per Check Point researchers, Lucy can make calls, send a list of apps installed on the device, delete encryption keys, run remote shell on the device, displays payment declined messages, and self destructible after successful task completion.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.