A new Malware-as-a-Service (MaaS) ‘orchestration product’, Black Rose Lucy, developed by a Russian-speaking team dubbed ‘The Lucy Gang,’ has been identified by Checkpoint researchers Feixiang He, Bogdan Melnykov, and Andrey Polkovnichenko with the help of David Montenegro.
The gang is reported to have already conducted various demos to potential malicious clients and could potentially have the versatility to enable worldwide hacker groups to orchestrate a wide range of attacks. The Black Rose dropper currently supports an English, Turkish and Russian user interface, has special logic and handling of MIUI in some malicious activities, and handles Chinese security and system tool applications suggesting China will be targeted next, and CIS countries where Chinese phones are popular.
The researchers say the Black Rose Lucy MaaS malware bundle comprises:
"Lucy Loader – a remote control dashboard, which controls an entire botnet of victim devices and hosts and deploys additional malware payloads.
"Black Rose Dropper – a dropper that targets Android phones, collects victim device data, listens to a remote command and control (C&C) server and installs extra malware sent from a C&C server."
To become an Android device system admin, an application needs to explicitly ask for user consent in a pop-up window, or ask the user to navigate through a series of system settings then grant such a privilege. The Android accessibility service mimics a user’s screen click, and could be abused by malware to walk around such security restrictions. An accessibility service lets users n automate and simplify certain repeated tasks. Black Rose exploits this option, tricking victims to enable accessibility service for Black Rose, then carrying out APK file installation and self-protection setup without victim consent.
The Lucy Loader Dashboard
The Lucy Loader is reported to control 86 devices from Russia with infections starting from early August this year. A dashboard on the Lucy Loader shows geo-locations of infected devices in its botnet and malware can be uploaded to the dashboard and then pushed en masse to the devices on the entire botnet.
An alert window claims the device is in danger but if it enables Android accessibility service for "Security of the system" App (actually the dropper), then it repeats until the accessibility service is enabled. This also forces victims to grant further device admin privileges, showing windows on top of other applications and ignoring Android battery optimisation- all required to show a deceptive alert message. Whenever the screen is turned on or off, it restarts itself.
Currently the Monitor service focuses on getting APK file installation tasks from the C&C server, sending the logs back to a C&C server which contains device status data, Black Rose health data, and task execution logs.
Because the Android accessibility service can mimic a user’s on-screen click it enables Black Rose to carry out malicious activities, granting itself device admin privileges; it also contains a range of self-protection mechanisms.