Security researchers discovered an emerging malware-as-a-service threat that would allow cybercriminals to infect Android phones with malicious software and block users from running security solutions on their devices.

The offering, called Black Rose Lucy, has a dashboard that shows simulated victims in France, Israel and Turkey. This led researchers at Check Point Research to conclude that the Russian-speaking developers have likely run demos for prospective cybercrime groups that are interested in attacking targets in those countries. China is another likely target because it is the largest market for Android devices.

“Given time it could easily become a new cyber Swiss Army Knife that enables worldwide hacker groups to orchestrate a wide range of attacks,” the researchers warned in a threat report dated Sept. 13.

Malware-as-a-service is very much like any traditional cloud service, but instead of subscribing to a harmless application in the cloud, cyberthieves can subscribe to black-market malware services that provide them with all the tools they need to execute attacks.

How Black Rose Lucy Works

Black Rose Lucy has two main components:

1. Lucy Loader, a dashboard that allows users to control an entire botnet of victim devices and deploy additional malware payloads.
2. Black Rose Dropper, which targets Android phones, collects victim device data and can install extra malware from a remote command-and-control (C&C) server.

To infect phones, the dropper prompts victims to enable the Android accessibility service for an application called Security of the System, which is actually the dropper, according to Check Point Research. When enabled, Black Rose Lucy can grant itself device administrative privileges. When it receives Android Package Kit (APK) files from the C&C server, it installs the files by simulating user clicks.

Black Rose Lucy also has self-protection features. If popular security solutions or system cleaners are launched, it simulates a user click to the “back” or “home” button to exit the tools. The dropper also blocks users from performing a factory reset.

The researchers noted that Black Rose Lucy is likely designed to target China because its dropper pays attention to Chinese security and system tool applications.

How to Protect Your Network From Malware-as-a-Service Threats

The threat alert issued on the IBM X-Force Exchange advised IT organizations to update their antivirus software, apply the latest patches to all applications and operating systems, and monitor their environments for indicators of compromise (IoCs).

Security experts also recommend conducting hands-on security awareness training that includes immersive simulations and promotes organizationwide security buy-in from the top down.