Wed. Nov 13th, 2019

New malware-as-a-service, Black Rose Lucy targets Android devices

2 min read

Like malicious traffic, malware can now be deployed directly through the cloud, and there is now a term called malware-as-a-service.

A few days ago, Check Point security companies discovered that malware-as-a-services, Black Rose Lucy created by Russian hacker groups were in an early stage but had great potential for development in the later period.

Because the current hacking attacks also form a very professional form of division of labour, such as those who do not hack technology only need to buy services provided by professionals.

Use accessibility services to form a self-protection mechanism:

The dashboards currently displayed by the Russian hacking team are similar to world maps, which show the location of botnets around the world and the operational processes.

People who purchase malware services only need to click upload to send new malware to the infected device, and the system performs an automatic installation after the sending is completed.

Initially, the malware simulates an Android system upgrade or image file to induce user downloads and then controls the user device to wait for new buyers to pay for the purchase.

System-level malware is automatically received when a buyer uploads malware and then grants administrator privileges using the Android Accessibility Services Simulated Click.

No user involvement is required throughout the process, no user action is needed, and new malware can be pushed to the entire botnet device in just a few minutes.

Automated system monitoring to report system status at any time:

After the malware is installed, it will start to register the system monitoring service, which will be restarted each time the user opens or locks the screen.

At this stage, malware primarily communicates with remote servers to detect if new malware needs to be installed and to upload system logs.

Including device status information, malware execution information, and task execution information uploading the server every minute for the controller and buyer to view.

The malware also detects if the system has security software when necessary, and if it does, destroys or even directly disables the security software.

Targeting China, particular optimisation for Xiaomi, etc.:

It is worth noting that the malware group is targeting China, for example, malware will be specially optimized for Xiaomi’s customised Android system.

The self-protection mechanism will also specifically deal with China’s security software and system applications so that malware can maintain efficient operation.

Although the hacker group’s malware-as-a-service is still in its early stages, it seems that Android users in China will become new targets.