Lucy malware for Android adds file-encryption for ransomware ops

A threat actor focusing on Android systems has expanded their malware-as-a-service (MaaS) business with file-encrypting capabilities for ransomware operations.

Named Lucy Gang by researchers, the actor is a Russian-speaking team that made itself known two years ago with the Black Rose Lucy service, offering botnet and malware dropping capabilities for Android devices.

No cryptocurrency demand

The new feature allows customers of the service to encrypt files on infected devices and show a ransom note in the browser window asking for $500. The message purports to be from the FBI and accuses the victim of storing adult content on the mobile device.

The purpose of the fake FBI‌ note is to scare the victim into obeying the cybercriminals’ request. It is a clear extortion attempt preying on fear of legal consequences for visiting adult websites and storing lewd files.

Adding to the scare, the criminals say that a picture of the victim’s face had been taken and uploaded to FBI’s cyber crime data center along with location details. Payment is expected in three days from the notification, otherwise the fine triples, the message warns.

Interestingly, the attacker does not take cryptocurrency. Instead, they demand credit card information. This is unusual as ransomware operators are typically cashing in by making victims pay the ransom in cryptocurrency.

According to researchers from Check Point, who discovered the Black Rose Lucy malware family in September 2018, more than 80 samples of the new version have been distributed in the wild via instant messaging apps and social media.

One of the new samples was spotted by Tatyana Shishkova, an Android malware researcher at Kaspersky, who in February tweeted a list of four IP addresses used for command and control (C2).

Speaking to BleepingComputer, Check Point manager of mobile research Aviran Hazum said that the current campaign targets only victims in former Soviet states, for reasons unknown. This restriction is enforced upon malware initialization by checking the country code of the device.

Using an alert dialog, Lucy then tries to trick the victim into enabling the Accessibility Service, which is intended for users with disabilities to assist them with various tasks on behalf of installed apps.

Encrypt, decrypt, and self-delete

As far as encryption goes, Lucy first tries to retrieve all the directories on the device. In case of failure, it looks for the “/storage” directory. If this also fails, the malware searches for the “/sdcard” folder.

In the next stage, it starts encrypting the data in the selected storage location and verifies the success of the operation when it completes. The procedure does not discriminate between files, Hazum told us, as long as they can be encrypted/decrypted.

As an interesting note, there is a false lead during the encryption process. A false key is generated using the AES algorithm with a constant seed of 0x100. This may be a trick from the malware developer or a mistake in the code.

However, the real encryption key is made of data in the first segment of the ‘SecretKeySpec’ and the ‘Key’ string that is taken from SharedPreferences.

The function responsible for processing the files uses these with the chosen file directory and a boolean variable that switches between the encryption and the decryption mode.

Lucy stores the decryption key on the device, in the SharedPreferences variable, Hazum says, adding that “in order to access other application’s data, the device needs to be rooted, which we do not suggest doing.”

Check Point’s analysis reveals that the malware sends logs following the decryption process, to inform that all files were processed and then runs a command to delete itself.

A look into the commands sent from the C2 shows that Lucy can make calls, export a list of installed apps, delete the encryption keys, or run a remote shell on the device. A set of commands from the C2 that the malware recognizes is available below:

Comments are closed.