Black Rose Lucy – A New Malware-as-a-Service (MaaS)

Black Rose Lucy

We all might have heard about Software-as-a-service (SaaS), Platform-as-a-service (PaaS) and Infrastructure-as-a-Service (IaaS). These three terms are used for explaining different models of cloud services, which are used for implementing various functions.

But, as we live in the tech world, every day new terms are created. Similarly, a recent word related to above was created that is Malware-as-a-Service (MaaS), a botnet used by cybercriminals for carrying out malicious activities. There are a lot of low-level attackers, which avail or buy Malware as a service from legitimate providers, in a similar way someone buy cloud services.

Well, talking about Malware-as-a-Service, recently, a MaaS botnet dubbed as ‘Black Rose Lucy’ was discovered by researchers at Check Point Research. It stops Android users from running security applications and settings on their Android devices.

According to researchers, Black Rose Lucy is innovated and developed by Russian Team, which is dubbed as ‘The Lucy Gang’.

Black Rose Lucy: Components

Black Rose Lucy is a combination of loader and dropper. The names are dubbed as Lucy loader and Black Rose dropper.

Lucy Loader

It’s a remote-controlled panel to control victim’s device. It is used to host and deploy malicious payloads on victim’s device. Also, it provides attackers with geo-location of targeted devices. On this dashboard, a lot of devices will be connected, and once the malware is uploaded by attackers on dashboard, connected devices will automatically get infected with the uploaded malware and payloads. The botnet will act as the attackers want it to act.

Black Rose Dropper

This dropper installs itself in Android devices as an Android system upgrade or as image files. It is used to gather all the information and personal data from victim’s device. Following to which, this data is sent to Command and Control (C&C) server. To install malicious software and payloads on Android device, it primarily influences device accessibility services, so that there is no user interaction and execute some anti-analysis techniques to stay hidden and unidentified.

Also Read : 3 Advanced Steps To Remove Stubborn Malware From Your PC

How Does It Work?

Let us take a look at the working of Black Rosy Lucy:

1. First of all loader and dropper are deployed on victim’s Android device. This is because loader will act as system admin once installed and dropper, which takes control of accessibility services. With control of accessibility it becomes easy to install APK files and self-protection setup on device that too without victim’s consent.

2. Dropper after installation, makes itself hidden and registers on Monitor service.

3. Following to which, within 60 seconds, monitoring service pops up an alert window, displaying a message that Android device is in danger. It prompts Android user to turn on accessibility service for application named ‘Security of the system’, which is a dropper in real. The message is displayed endlessly until user enables accessibility of the device.

Black Rose Lucy

4. In background, monitor service executes a process, which allows to restart Black Rose every time the device is locked or unlocked.

Later, researchers also observed a new version of Black Rose, which can adopt DEX payloads instead of APKs. The targeted Android users are said to be located in France, Israel and Turkey. In future, Lucy gang might be willing to take special case of handling and hacking MI user interface, as it is the most used Android device in Asia and East Europe. And who might know next stop for Lucy Gang could be China.

However, amidst the increasing cyberthreats and cyberattacks, all we can do is stay safe by keeping our data and personal information safe. So, make sure, you use active and more precise security solutions to keep your Android device away from malware and other trojans.

Must Read : What Is Kovter Malware And How To Stop It?

If you found this helpful, please let us know. You can also drop your feedback in the comment section below.