Ransomware attacks all generally follow the same playbook. The attacker encrypts or locks sensitive files on your computer or device and demands a ransom in order to unlock them. In most cases, the criminals behind the attack make no attempt to masquerade their identity, confident in their ability to convince enough people to pay the ransom. But one new malware campaign analyzed by cyber threat intelligence provider Check Point Research spoofs the FBI to lend an air of legitimacy to the ransom demand.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

In a blog post published Tuesday, Check Point revealed the details behind a Malware-as-a-Service (MaaS) botnet known as Black Rose Lucy. Originally seen by Check Point in September 2018, Lucy acts as a dropper to spread malware and take control of Android devices.

After a successful infection on an Android device, Lucy encrypts files and then displays a ransom note in a browser window. This note claims to be an official message from the FBI that accuses the victim of owing and storing pornography.

Beyond encrypting the data and locking the device, the attacker warns that the details of this offense have been sent to the FBI Cyber Crime Department’s Data Center. To regain control of the device, the victim is then told to pay a fine of $500 by using a credit card.


Image: Check Point Research

In its analysis, Check Point found more than 80 samples of this attack distributed mostly through social media links and messaging apps. Masquerading as regular video player apps, these samples are able to control infected devices by exploiting the Android accessibility service, which is designed to assist people with disabilities by automating certain user interactions. To launch the attack, Lucy asks users to enable Streaming Video Optimization (SVO). This gives the botnet permission to use the accessibility service, thus allowing it to encrypt files on the device.

The malware’s code points to four different encrypted command and control (C&C) servers that can communicate with Lucy. The C&C servers are coded as domain names rather than IP addresses, which means that any one server taken offline can be reactivated simply by taking on a different IP address. The code indicates a range of commands that the C&C servers can issue without the user’s knowledge or permission, including ones to view all the directories on the device to encrypt files, decrypt files if the ransom is paid, decline the payment, and remove the malware from the device.

“We are seeing an evolution in mobile ransomware,” Check Point Manager of Mobile Research Aviran Hazum said in a press release. “Mobile malware is more sophisticated, more efficient. Threat actors are learning fast, drawing from their experience of past campaigns. The FBI mimic is a clear scare tactic. Sooner or later, we anticipate the mobile world will experience a major destructive ransomware attack. It’s a scary but very real possibility. We urge everyone to think twice before accepting or enabling anything while browsing videos on social media.”

To guard against mobile malware, Hazum advises people to install a security product on their device, use only official app stores and markets, and always keep the operating system and apps up to date.


Image: kaptnali, Getty Images/iStockphoto