Lucy Gang Debuts with Unusual Android MaaS Package

The threat actor’s Android-focused cyber-arms package, dubbed Black Rose Lucy, is limited in reach for now, but clearly has global ambitions.

There’s a fresh bloom in the malware-as-a-service garden: Researchers have uncovered a new Russian-speaking threat actor hawking a proprietary cyber-weapon dubbed “Black Rose Lucy.”

The offering is a malware-as-a-serviceĀ (MaaS) bundle with two parts, consisting of a controlling web interface (which acts as a dashboard and command-and-control server), and malware that targets Android systems. Infected devices are enslaved to a botnet that’s placed at an operator’s disposal, according to analysis from Check Point.

The group behind it, called Lucy Gang by the researchers, is new to the underground scene.

“There no evidence to link Lucy Gang to any existing known threat actors,” Check Point researcher Feixiang He explained to Threatpost. “Yet, Lucy Gang shows competent coding skills and a clear ‘business model. Thus, it’s likely individuals in the Lucy Gang have spent fair amount of time in hacking business before.”

The package was named Black Rose Lucy after nomenclature found within the code, he added.

“We looked into the hackers’ dashboard and found they gave the name ‘Lucy’ as the dashboard title (which displayed in a browser tab),” He told Threatpost. “And in the Android malware, we found code to create a local database to record command execution results (a log) as instructed from remote controlling dashboard. The database table is called ‘blackRose.’ These two parts are very unique, so I decided to call the malware bundle as Black Rose Lucy, while Black Rose refers to Android malware part and Lucy to control dashboard part.”

The Malware

The Black Rose Android malware mainly plays a dropper role, with the ability to receive and sneakily install further malicious payloads sent from the Lucy dashboard (command-and-control server).

To go with this, Lucy Gang provides a set of commonly used malicious mobile payloads, such as those that can steal SMS and contacts from an Android phone. However, He explained to Threatpost that Lucy Gang also developed an upload feature in the Lucy dashboard so that buyers/customers can upload their own malicious payload to control server.

From there, they can “then deploy [it] into the entire botnet, so that the botnet fits into their purpose,” He said.

For now, the Black Rose Lucy malware package focuses on mobile phone-related malicious capabilities; however, technically, it is able to infect all Android-powered devices.

“Meaning, it can be re-purposed to other things, like turning Android TVs into cryptomining machines,” He told Threatpost.

A few additional aspects to the malware stood out as unusual to He.

“First, the Black Rose code structure is very neat and concise,” the researcher told us. “There are very few redundant or unused codes. This means Lucy Gang is the original developer who has clear purpose in mind. In the past, we see many hackers reuse or copy code from each other (mostly, for the sake of saving time in development or simply a showcase of coding incompetency). It usually produces malware which has loads of dead codes and very lose code structures.”

Second, Black Rose is built to be an especially easy-to-use software service bundle.

“From a potential malware service buyer point of view, launching a cyber-attack cannot be easier,” said He. “Just pay Lucy Gang a price, then the gang will spin off a control server for buyer, configure an Android malware that listens to commands from that specific control server, and then hand over the server login and malware to buyer. The whole process is as easy as buying AWS cloud service.”

For instance, Lucy Gang helps deploy the Lucy control dashboard into a Virtual Private Server instance (He told us it’s using the VPS provider “” so far, which is a legitimate VPS provider), embedding the server domain name or IP into Black Rose Android malware.

It’s worth noting that Black Rose Lucy also has notable self-protection mechanisms, such as actively checking to see if popular free security tools or system cleaners are launched. It also blocks victims’ ability to use factory reset on their devices. Whenever victims try to open the factory reset menu in settings, Black Rose quickly presses the ‘home’ and ‘back’ button.

Initial Compromise

As for how the Lucy Gang is spreading the malware and building its botnet, tried-and-true techniques are likely afoot.

“In our research, we mentioned that Android malware variants disguise themselves as image files or Android system upgrade APK files,” He said. “This suggests that Black Rose proliferation needs a bit assistant with social engineering technique. For example, hacker could send an SMS something like: ‘Here is the link to group photo from our last re-union. Click to download! <URL>.'”

Or, a more advanced technique would involve the recently presented man-in-the-disk vulnerability.

“Attackers would embed a man-in-the-disk agent in a seemingly innocent app, and distribute it through popular Android app stores,” He said. “If the OEM version of Android or on-board system applications are vulnerable to man-in-the-disk, then hackers can push Black Rose variants which disguise themselves as Android update files when Android tries to upgrade, swapping out the legitimate update file so as to achieve infestation.”

Lucy Gang: A Cyber-Arms Dealer

After receiving leads from malware analyst David Montenegro earlier in September about some unusual web hosts, He and fellow researchers Bogdan Melnykov and Andrey Polkovnichenko looked deeper into the situation. They determined that Lucy Gang is a good example of an evolution in the criminal underground towards specialized weapons. For instance, for now, Black Rose Lucy is aimed only at mobile Android.

“Recently, we see further specialization among hacker groups,” He told Threatpost. “Black Rose Lucy demonstrates a [separation] between cyber-weaponry developer and the cyber-attack campaign runner/attack execution party. I tend to compare Lucy Gang to arms developers: It sells cyber-attack weapons as-a-service, yet keeps itself away from direct hacking campaigns.”

In many ways, threat actors are now buying malware services from MaaS providers in a similar way that legitimate organizations purchase cloud services.

While compartmentalization has gone on for years, it’s tended to be oriented around the criminal supply chain (i.e., there is a clear delineation between hacker groups who steal personal data, those who buy the data later for scam or fraud purposes, and those that market that data). The kind of MaaS specialization seen with Black Rose Lucy results in even greater efficiency among hacker groups, He explained, reducing the minimum skill requirements needed to initiate a cyber-attack and ultimately resulting in more frequent attacks.

Global Ambitions

So far, Lucy Gang’s influence and botnet reach has been limited, but Check Point researchers said its scope is poised to expand globally.

“At the time of writing, we believe the Lucy Gang has already conducted various demos to potential malicious clients and while it may well still be in its early stages, given time it could easily become a new cyber Swiss army knife that enables worldwide hacker groups to orchestrate a wide range of attacks,” the research team noted in an analysis posted this week. “As we found simulated victims on this dashboard to be located in France, Israel and Turkey, we believe the Lucy Gang may be conducting demos to potential hacker groups that are interested in attacking these countries.”

The Black Rose dropper currently supports an English, Turkish and Russian user interface as well, while the Lucy dashboard is bilingual in English and Russian. There are also indicators that China, the world’s largest market for Android phones, could be its next target.

“The Lucy Gang has great ambition beyond the Russian border where the gang comes from,” He told Threatpost. “Black Rose displays many foreign languages to trick victims, and Black Rose pays much attention to Chinese technologies.”

For instance, it contains special logic only designed for MIUI, which is the Chinese-made Xiaomi phone’s Android component. Also, in its antivirus checks, more than half of the “blacklist” contains free Chinese AV products or system utility apps.

“This is the first time I see a Russian gang paying such a high level of attention to Chinese technologies,” he said.


Suggested articles