A new variant of ransomware is infecting Android smartphones and attempting to pressure victims into paying to retrieve their encrypted files by claiming to be the work of the FBI. But the campaign could be more than just about making a quick buck.
Black Rose Lucy ransomware first emerged in late 2018, but its authors have continued to tweak their offering and now as well as encrypting files, it can also take control of infected smartphones and tablets to make changes and install other forms of malware.
Lucy's new capabilities have been detailed by researchers at security company Check Point, who found samples of the ransomware being distributed by social media links and messenger applications.
SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
After a device is infected, the malware shows a message asking the user to enable 'streaming video optimization'. But if the user agrees to this, they're actually agreeing to allow Lucy to use accessibility services. It's by abusing the automated functions of Android accessibility services that ransomware is activated on the device and the victim is presented with a ransom note.
In this case, it pretends to be in an official message from the FBI, claiming the device has been locked because the user has downloaded adult content.
The warning also claims that the victim's details – including their picture and location – have been uploaded to an 'FBI cybercrime department data centre', along with a list of crimes they've supposedly committed. Because of this, the note says the user has to pay a fine of $500.
"We are seeing an evolution in mobile ransomware: it's becoming more sophisticated and efficient. Threat actors are learning fast, drawing from their experience of past campaigns, and the impersonation of a message from the FBI is a clear scare tactic," said Aviran Hazum, manager of mobile research at Check Point.
Of course, the FBI itself doesn't encrypt devices used by the general public for the purposes of extortion, nor does it demand fines over the internet. However, if the victim is coerced into paying, they do so by providing their credit card information, rather than using bitcoin as preferred by many other forms of ransomware.
Handing that information over to the attackers behind Lucy could also potentially result in providing them with the ability to commit additional financial fraud using the victim's credit card details.
But that isn't the only damage that can be done by this campaign because now Lucy is equipped with capabilities which allow it to take control of the victim's device, make changes and install additional malicious applications.
That means that even if the victim pays the ransom to regain access to their device, the malware could still be active in the background, ready to perform other malicious activities as and when the attackers please.
SEE: Cybersecurity: Do these ten things to keep your networks secure from hackers
It's believed that Lucy originated from the Russian cyber-criminal underground and that it's offered 'as-a-service' to users. It's highly likely that the campaign is still active – and users are urged to be cautious about what they download and where they download it from.
"We urge everyone to think twice before clicking on anything to accept or enable functions while browsing videos on social media," said Hazum.
"To stay safe, users should install a security solution on their devices and only use official app stores. And as always, they should keep their device's OS and apps up to date at all times," he added.