BlackRock Android malware targets passwords and credit card details from dating, social media, instant messaging applications
Newly discovered Android banking trojan steals credentials from more than 337 applications in various categories. Dubbed BlackRock, the trojan can steal data from mobile apps that are not all used for financial purposes. The list of Android applications comes in various categories mainly focusing on shopping, entertainment, social media, dating, instant messaging apps besides banking and financial programs.
The trojan was discovered back in May by ThreatFabric analysts, and recent reports show that banking trojan is designed on the base of the leaked code for other mobile banking trojans. BlackRock is derived from the code of Xerxes banking malware that is a strain of another well-known LokiBot Android malware.
Malware makes Android work profiles, so the compromised device can be controlled without additional permissions. This is how malware launchers can create and manage the profile with particular administrative rights. The BlackRock trojan targets 226 applications with data-stealing tactics.
Those mobile programs include Microsoft Outlook, Gmail, Google Play, Uber, Netflix, Cash App, Amazon, Coinbase, BitPay. Other programs that store and collect credit card information are targeted too, social media, instant messaging programs include Telegram, WhatsApp, Twitter, Skype, Instagram, Play Store, Facebook, VK, Reddit, Tinder.
Different banking Trojan that targets non-financial apps
It is known that the BlackRock trojan is based on 2019 mobile malware that is coming from the LokiBot. The particular Android malware started activities back in 2016, two years later evolved into MysteryBot and then released a Parasite malware. The latter become Xerxes in 2019. Based on the other analysis and investigations on the same Android malware family this particular 2020 Android threat has some unique features.
Besides those features that are similar or somewhat typical, this Android trojan includes many applications related to social networking, dating, communications that are not commonly included in target lists of such banking trojans. This threat hides as Google Update to ask the Accessibility Service privileges. This way the threat camouflaged itself and gets launched by the potential victim.
Once the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional permissions. Those additional permissions are required for the bot to fully function without having to interact any further with the victim.
Operators control malware remotely and can launch actual commands
Once the malware is hidden and installed on the targeted device the attacker can launch various attacks and trigger command on the phone that leads to logging keystrokes, sending spam to contacts, changing preferences, and settings. Anything that hacker chooses to launch can result in phishing attacks, blocks for users from using antivirus software or other system features, programs.
- send SMS;
- send copies of messages to C2 server;
- send malware via messaging applications;
- start a particular application;
- keep the device on Home screen all the time;
- request admin privileges;
- hide notifications;
- copies the content of notifications;
- stop programs.
This discovery is probably not the last one this year, so banking malware and spyware programs can be on the rise.
With the changes that we expect to be made to mobile banking Trojans, the line between banking malware and spyware becomes thinner, banking malware will pose a threat for more organizations and their infrastructure, an organic change that we observed on windows banking malware years ago.