New Android BlackRock malware targets hundreds of apps

Researchers spotted a new Android banking trojan dubbed BlackRock malware that steals credentials and credit card data from hundreds of apps.

Security experts from ThreatFabric have discovered a new Android banking trojan dubbed BlackRock that steals credentials and credit card data from a list of 337 apps.

The BlackRock malware borrows the code from the Xerxes banking malware, which is a strain of the popular LokiBot Android trojan.

The source code of the Xerxes malware was leaked online around May 2019.

Unlike other banking trojans, BlackRock targets several non-financial Android apps, most of them are social, communication, and dating platforms.

“one of the interesting differentiators of BlackRock is its target list; it contains an important number of social, networking, communication and dating applications. So far, many of those applications haven’t been observed in target lists for other existing banking Trojans.” reads the post published by ThreatFabric. “It therefore seems that the actors behind BlackRock are trying to abuse the grow in online socializing that increased rapidly in the last months due to the pandemic situation.”

The BlackRock malware poses itself as fake Google updates: camouflages itself as Google Update.

Upon launching the malware on the mobile device, it will start by hiding its icon from the app drawer, then it asks the victim for the Accessibility Service privileges. 

“Once the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional permissions,” continues the analysis. “Those additional permissions are required for the bot to fully function without having to interact any further with the victim. When done, the bot is functional and ready to receive commands from the C2 server and perform the overlay attacks.”

The malicious code supports multiple commands, it could launch overlay attacks, log keystrokes, send spam the victims’ contact lists with SMS messages, and prevent victims from using antivirus software.

Experts noticed that the Xerxes Trojan itself implements more features because the authors of the BlackRock malware have removed those ones that are not useful to steal personal information.

Unlike other Android malware that BlackRock uses the Android work profiles, which is used by businesses to define a device policy controller (DPC) in order to control and apply policies on their mobile fleet. The feature allows controlling multiple aspects of a device without having complete administration rights on them.

The malware targets 226 applications to steal account credentials, including Gmail, Google Play services, Uber, Amazon, Netflix and Outlook.

The list of targeted apps includes cryptocurrency wallet applications (i.e. Coinbase, BitPay, and Coinbase), and banks (i.e. Santander, Barclays, Lloyds, ING, and Wells Fargo).

“The second half of 2020 will come with its surprises, after Alien, Eventbot and BlackRock we can expect that financially motivated threat actors will build new banking Trojans and continue improving the existing ones,” ThreatFabric concludes.

“With the changes that we expect to be made to mobile banking Trojans, the line between banking malware and spyware becomes thinner, banking malware will pose a threat for more organizations and their infrastructure, an organic change that we observed on windows banking malware years ago.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BlackRock malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.