New Android Botnet Pops Up on Malware-as-a-Service Market

Security researchers have discovered a new Android botnet toolkit that’s being developed as a malware-as-a-service (MaaS) offering for other cybercriminals.

The toolkit, dubbed Black Rose Lucy by researchers from security firm Check Point Software Technologies, is made up of a back-end control panel dubbed the Lucy Loader and an Android implant called the Black Rose dropper. The malware was created by a team of Russian speaking developers that Check Point calls the Lucy Gang.

“At the time of writing, we believe the Lucy Gang has already conducted various demos to potential malicious clients and while it may well still be in its early stages, given time it could easily become a new cyber swiss army knife that enables worldwide hacker groups to orchestrate a wide range of attacks,” the researchers said in a blog post.

One discovered instance of the Lucy Loader dashboard is already being used to control 86 Android phones, mostly from Russia, that had been infected since August. Attackers can use it to push additional malware to the compromised devices.

The Black Rose dropper is distributed as a fake Android system upgrade or an image file and abuses the Android accessibility service to install malware payloads without user interaction.

Upon installation, Black Rose hides its icon and runs in the background. Every 60 seconds it asks the user to enable the accessibility service for an application called “Security of the system,” which is actually itself.

If registered as an accessibility service, Black Rose can simulate user clicks on top of other applications and menus. This allows it to automatically give admin privileges to itself and to ignore battery optimizations that might kill its process.

It also allows the malware to install new APKs (Android Applications) received from the command-and-control server. Newer versions also support more powerful DEX payloads that can be loaded dynamically on Android devices.

Black Rose checks for the presence of various security tools and apps on the phone and attempts to close them. It also prevents users from accessing the factory reset menu in the phone’s settings which could be used to reset the phone and remove the malware.

“During our code analysis, we felt a strong sense of the Lucy Gang’s global ambitions,” the researchers said. “Indeed, we got the impression that Black Rose Lucy has plans to become a botnet service far beyond the Russian border due to the Black Rose dropper currently supporting an English, Turkish and Russian user interface.”

Over 2 Billion Devices Remain Vulnerable to BlueBorne

One year after a critical Bluetooth-based attack was publicly disclosed, more than 2 billion devices remain vulnerable to it.

BlueBorne is an airborne attack vector that exploits vulnerabilities in the Bluetooth implementations of Linux, Android, Windows and iOS. In many cases, it can lead to remote code execution on affected devices and in others it enables man-in-the-middle traffic interception.

When it was announced in September 2017, BlueBorne was estimated to affect 5.3 billion devices, including computers, mobile phones, IoT devices and basically anything with a Bluetooth radio chip. It was a new type of attack that has since spurred additional research and led to the discovery of additional Bluetooth vulnerabilities.

However, it turns out that patching Bluetooth stacks at scale is not easy and many older devices have been left behind. According to Armis, the company that discovered BlueBorne, more than 2 billion devices have not received patches to date.

“Most of these devices are nearly one billion active Android and iOS devices that are end-of-life or end-of-support and won’t receive critical updates that patch and protect them from a BlueBorne attack,” the company said in a new report. “The other 768 million devices are still running unpatched or unpatchable versions of Linux on a variety of devices from servers and smartwatches to medical devices and industrial equipment.”

The breakdown by OS looks like this: 768 million devices running Linux, 734 million devices running Android 5.1 (Lollipop) and earlier, 261 million devices running Android 6 (Marshmallow) and earlier, 200 million devices running affected versions of Windows and 50 million devices running iOS version 9.3.5 and earlier.

Even for devices that did eventually received patches, vendors dragged their feet. For example, Lenovo released BlueBorne patches for some of its older Android tablets in June 2018, 268 days after the attack was first revealed.

“Unmanaged and IoT devices are growing exponentially in the enterprise,” Armis said. “They carry the promise of connectivity and productivity. However, they are also the new attack landscape. Attackers increasingly focus on new methods to exploit these devices because they take advantage of new connectivity methods (like Bluetooth), and because of their inherent lack of protection.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin