Security researchers discovered an emerging malware-as-a-service threat that would allow cybercriminals to infect Android phones with malicious software and block users from running security solutions on their devices.

The offering, called Black Rose Lucy, has a dashboard that shows simulated victims in France, Israel and Turkey. This led researchers at Check Point Research to conclude that the Russian-speaking developers have likely run demos for prospective cybercrime groups that are interested in attacking targets in those countries. China is another likely target because it is the largest market for Android devices.

“Given time it could easily become a new cyber Swiss Army Knife that enables worldwide hacker groups to orchestrate a wide range of attacks,” the researchers warned in a threat report dated Sept. 13.

Malware-as-a-service is very much like any traditional cloud service, but instead of subscribing to a harmless application in the cloud, cyberthieves can subscribe to black-market malware services that provide them with all the tools they need to execute attacks.

How Black Rose Lucy Works

Black Rose Lucy has two main components:

  1. Lucy Loader, a dashboard that allows users to control an entire botnet of victim devices and deploy additional malware payloads.
  2. Black Rose Dropper, which targets Android phones, collects victim device data and can install extra malware from a remote command-and-control (C&C) server.

To infect phones, the dropper prompts victims to enable the Android accessibility service for an application called Security of the System, which is actually the dropper, according to Check Point Research. When enabled, Black Rose Lucy can grant itself device administrative privileges. When it receives Android Package Kit (APK) files from the C&C server, it installs the files by simulating user clicks.

Black Rose Lucy also has self-protection features. If popular security solutions or system cleaners are launched, it simulates a user click to the “back” or “home” button to exit the tools. The dropper also blocks users from performing a factory reset.

The researchers noted that Black Rose Lucy is likely designed to target China because its dropper pays attention to Chinese security and system tool applications.

How to Protect Your Network From Malware-as-a-Service Threats

The threat alert issued on the IBM X-Force Exchange advised IT organizations to update their antivirus software, apply the latest patches to all applications and operating systems, and monitor their environments for indicators of compromise (IoCs).

Security experts also recommend conducting hands-on security awareness training that includes immersive simulations and promotes organizationwide security buy-in from the top down.

More from

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…