This Russian botnet mimics your click to prevent Android device factory resets

Black Rose Lucy has turned up as a new offering in the Malware-as-a-Service (MaaS) space.
Written by Charlie Osborne, Contributing Writer

A new "swiss army knife" botnet originating from Russia has emerged in the Malware-as-a-Service (MaaS) arena, touting Android-based payloads to potential cybercriminal clients.

According to researchers from Check Point, the botnet has been developed by a group of Russian-speaking hackers known as "The Lucy Gang," and demos have already been provided to potential subscribers to the system looking for Malware-as-a-Service (MaaS) solutions.

Botnets are a thorn in the side for cybersecurity firms, hosting providers, and everyday businesses alike. The systems are made up of enslaved devices including mobile devices, Internet of Things (IoT) gadgets, and PCs.

TechRepublic: The 6 reasons why we've failed to stop botnets

These products are then issued commands by a command-and-control (C2) server controlled by the botnet operator to perform a variety of malicious activities, including mass spam email campaigns and distributed denial-of-service (DDoS) campaigns.

This botnet is no different, the security team said in a blog post. However, Black Rose Lucy does appear to be a specialist system for compromising devices operating on Google's Android operating system.

If Android devices are not jailbroken, security systems in the OS require users to actively give apps consent and permissions to perform sensitive functions or gather user data.

However, the researchers say that Black Rose Lucy takes advantage of the Android accessibility service to dupe victims into granting consent for the service, leading to the installation of malicious APK files.

Black Rose Lucy registers with the Monitor service upon installation. After a minute has passed, the malware displays an alert claiming the device is in danger and requests that the victim enable the Android accessibility service for an app called "Security of the system."

Check Point

If enabled, victims are then required to give device admin privilege to Black Rose, permissions to show windows on top of other applications, and the ability to ignore Android battery optimization functions.

"Because the Android accessibility service can mimic a user's on-screen click, this is the crucial element in order for Black Rose to carry out malicious activities," the researchers say. "When receiving APK files from the C2 server, Black Rose conducts installations by the same technique, going through installation steps by simulating user clicks."

The botnet compromises of "Lucy Loader," a remote dashboard which permits operators to review and control compromised devices connected to the network, as well as deploy additional malware payloads.

Check Point

A sample of the malware secured by the research team revealed a botnet setup involving 86 enslaved devices. Infections are very recent and only began in August this year.

CNET: The FBI wants you to reboot your router NOW to help destroy a botnet

The botnet uses the "Black Rose Dropper," a malware payload which specifically targets Android mobile devices, harvesting victim data and installing any malware payloads issued by the C2.

The dropper files disguise themselves either as Android system upgrades or image files. The Android accessibility service is abused to install these payloads without user interaction or consent.

Granted permissions and with the additional payloads, the botnet then sets up background systems for maintaining persistence, including a restart whenever the compromised device is turned off or on.

See also: Bizarre botnet infects your PC to scrub away cryptocurrency mining malware

There is also a number of self-protection mechanisms of note, including checks for popular security tools and system cleaners, as well as Chinese protective solutions.

As the botnet gains click mimicry through the accessibility service, if one of these products is found, the malware attempts to "back" or "home" button click to exit the tool -- or at least prevent the victim from using them.

The same technique is used to prevent factory resets from taking place.

As the dropper is supported in Russian, English, and Turkish, the security team believes the botnet's operators are very likely to want to enter the global stage.

In particular, China has been indicted as a potential area ripe for exploit, given that the botnet's creators have spent a long time working out how to circumvent Chinese security and system tools in the background.

"While it may well still be in its early stages, given time it could easily become a new cyber swiss army knife that enables worldwide hacker groups to orchestrate a wide range of attacks," Check Point said.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards