Researchers from Check Point have highlighted Lucy ransomware back in action. This time, Lucy ransomware targets Android users while impersonating the FBI. As explained in a recent post, Lucy first caught the attention of Check Point back in 2018.
And now, after two years, the ransomware that serves as malware-as-a-service (MaaS) back with improvised capabilities to target Android devices. Briefly, the malware is spreading around mainly through social media links and instant messaging apps. The researchers found at least 80 different samples carrying this Lucy variant. Upon entering the target device, the malware tricks the user to gain access to the Android Accessibility Service. As stated in the post, It displays a message asking the user to enable SVO (Streaming Video Optimization).
By clicking ‘OK’, the user grants the malware permission to use the accessibility service. Now Lucy is ready to initiate its malicious plan to encrypt the data on the victim’s device. This then lets the malware take control of the smartphone’s screen and WiFi, keeping both ‘On’. After that, Lucy starts encrypting all files. Once verified, it displays the ransom note via the device’s browser, which appears as a notice from the US FBI. This notice may suffice into scaring the victim to pay the ransom which, to them, seems a fine for cybercrime.
Below is a copy of the ransom note.
The malware performs other activities on the device. Some of its capabilities include making calls to the C&C server number, send a list of all installed apps to the C&C, and, the most peculiar one is to display a message to the victim regarding a failed payment. Ransom Not Demanded In Bitcoins Although Lucy typically behaves like any other ransomware, what makes it unique is the way it asks payment.
While the attackers behind most other ransomware demand ransom in Bitcoins, Lucy Gang asks for a payment of $500 via the victim’s credit card. It seems, through this strategy by asking payments through credit cards, the attackers can gather victim’s payment card data, which they can exploit in the future as well. Certainly, this ransomware attack reiterates the need for vigilance while installing apps on mobile phones. Users must always ensure that they only download apps from official stores and trusted developers. Moreover, users should also keep their Android devices secure by ensuring prompt updates, using a robust antivirus, and employing safe browsing habits.