New Black Rose Lucy botnet is a Russian MaaS that can target Android devices

• Black Rose Lucy is believed to have been created by the Russian cybercrime group The Lucy Gang.
• Experts believe that the botnet could become a “cyber swiss army knife”, allowing global cybercriminals to conduct a wide range of attacks.

A new botnet dubbed Black Rose Lucy recently emerged in the Malware-as-a-service (MaaS) realm. The botnet is believed to be the creation of the Russian cybercrime group - The Lucy Gang. The botnet can allow hackers the ability to target Android OS devices.

The botnet is being marketed alongside the Lucy Loader - a remote control dashboard that can control victim devices and deploy additional malware payloads. The Black Rose Dropper, which is a malware dropper that can target Android devices, steal device data, and drop additional malware, is also included in the botnet package.

“As we found simulated victims on this dashboard to be located in France, Israel, and Turkey, we believe the Lucy Gang may be conducting demos to potential hacker groups that are interested in attacking these countries,” Check Point security researchers, who discovered the new Russian botnet, wrote in a blog. “We got the impression that Black Rose Lucy has plans to become a botnet service far beyond the Russian border due to the Black Rose dropper currently supporting an English, Turkish and Russian user interface.

Android defense’s Achilles heel

According to Check Point researchers, a new campaign leveraging Black Rose Lucy began in early August and has already targeted around 86 devices in Russia. The researchers believe that the botnet could become a “cyber swiss army knife”, allowing global cybercriminals to conduct a wide range of attacks.

“The Android accessibility service, which mimics a user’s screen click, could be abused by malware to walk around such security restrictions. An accessibility service is introduced so that users can automate and simplified certain repeated tasks,” Check Point researchers said. “For Black Rose, though, it is the Achilles’ heel in Android’s defense. Once it has successfully tricked victims to enable accessibility service for Black Rose, it carries out APK file installation and self-protection setup without victim consent.”

Black Rose Lucy’s capabilities

The Lucy Loader dashboard allows cybercriminals the ability to view the geolocation of the devices infected by Black Rose Lucy. The loader also allows cybercriminals to download malware variants onto its dashboard and later push it out “en masse” to all the devices infected by the botnet.

Meanwhile, the Black Rose Dropper comes disguised as either an Android upgrade or an image file and can install payloads without any user interaction. The malware dropper leverages Android’s accessibility services to do so and hides its icon after it has been installed onto a targeted device. The dropper repeatedly prompts victims to enable the Android accessibility service for an app called “Security of the system”.

“Because the Android accessibility service can mimic a user’s on-screen click, this is the crucial element in order for Black Rose to carry out malicious activities,” Check Point researchers said. “Once the accessibility service is enabled, Black Rose can quickly shuffle through screens to grant itself device admin privileges (if these have not previously been granted), and ignore system battery optimization so that void being killed by Android battery optimization process.”

Apart from detection-evading features, the Black Rose dropper also allow attackers the ability to stop victims from using the factory reset option. Whenever the factory reset menu is opened on an infected device, the malware will immediately click on the “Home or the “Back” button.

New Black Rose Dropper version

Check Point researchers said that they also found a new version of the Black Rose Dropper, which uses a domain name instead of an IP address for the C2 server. This makes the botnet less vulnerable to a server takedown and boosts its communications.

“Considering the Xiaomi phone’s growing popularity in Asia and East Europe, Black Rose has special logic and handling of MIUI in some malicious activities. In the self-protection mechanism, it pays a lot of attention to Chinese security and system tool applications,” Check Point researchers added. “These observations make us believe that Black Rose Lucy’s next stop could well be China, the largest Android phone market, and countries where Chinese phones are popular (such as CIS countries) In the meantime, it is France, Israel, and Turkey that remain at the top of the list.”