According to researchers from Check Point, the botnet has been developed by a group of Russian-speaking hackers known as "The Lucy Gang," and demos have already been provided to potential subscribers to the system looking for Malware-as-a-Service (MaaS) solutions.
Botnets are a thorn in the side for cybersecurity firms, hosting providers, and everyday businesses alike. The systems are made up of enslaved devices including mobile devices, Internet of Things (IoT) gadgets, and PCs.
These products are then issued commands by a command-and-control (C2) server controlled by the botnet operator to perform a variety of malicious activities, including mass spam email campaigns and distributed denial-of-service (DDoS) campaigns.
This botnet is no different, the security team said in a blog post. However, Black Rose Lucy does appear to be a specialist system for compromising devices operating on Google's Android operating system.
If Android devices are not jailbroken, security systems in the OS require users to actively give apps consent and permissions to perform sensitive functions or gather user data.
However, the researchers say that Black Rose Lucy takes advantage of the Android accessibility service to dupe victims into granting consent for the service, leading to the installation of malicious APK files.
Black Rose Lucy registers with the Monitor service upon installation. After a minute has passed, the malware displays an alert claiming the device is in danger and requests that the victim enable the Android accessibility service for an app called "Security of the system."
If enabled, victims are then required to give device admin privilege to Black Rose, permissions to show windows on top of other applications, and the ability to ignore Android battery optimization functions.
"Because the Android accessibility service can mimic a user's on-screen click, this is the crucial element in order for Black Rose to carry out malicious activities," the researchers say. "When receiving APK files from the C2 server, Black Rose conducts installations by the same technique, going through installation steps by simulating user clicks."
The botnet compromises of "Lucy Loader," a remote dashboard which permits operators to review and control compromised devices connected to the network, as well as deploy additional malware payloads.
A sample of the malware secured by the research team revealed a botnet setup involving 86 enslaved devices. Infections are very recent and only began in August this year.
There is also a number of self-protection mechanisms of note, including checks for popular security tools and system cleaners, as well as Chinese protective solutions.
As the botnet gains click mimicry through the accessibility service, if one of these products is found, the malware attempts to "back" or "home" button click to exit the tool -- or at least prevent the victim from using them.
The same technique is used to prevent factory resets from taking place.
As the dropper is supported in Russian, English, and Turkish, the security team believes the botnet's operators are very likely to want to enter the global stage.
In particular, China has been indicted as a potential area ripe for exploit, given that the botnet's creators have spent a long time working out how to circumvent Chinese security and system tools in the background.
"While it may well still be in its early stages, given time it could easily become a new cyber swiss army knife that enables worldwide hacker groups to orchestrate a wide range of attacks," Check Point said.
How to discover and destroy spyware on your smartphone (in pictures)