Cybersecurity researchers today discovered a new variety of banking malware that targets not only banking apps but also steals data and credentials from social media, dating, and cryptocurrency apps, totaling 337 non-financial Android apps on your target list.
Dubbed “BlackRock” by ThreatFabric researchers, who discovered the Trojan in May, its source code is derived from a leaked version of the Xerxes banking malware, which is a strain of the Android banking Trojan LokiBot that was first observed during 2016-2017. .
The main of its features is to steal user credentials, intercept SMS messages, hijack notifications and even record keystrokes of specific applications, in addition to being able to hide from antivirus software.
“Not only the [BlackRock] The Trojan is undergoing changes to its code, but it also comes with a larger list of targets and has been ongoing for a longer period, “said ThreatFabric.
“Contains a significant amount of dating, communication, and social applications [that] they have not been observed in the target lists for other existing banking Trojans. “
BlackRock performs data collection by abusing the privileges of the Android Accessibility Service, for which it searches for user permissions under the guise of false Google updates when it is first launched on the device, as shown in the shared screenshots.
Subsequently, it grants additional permissions and establishes a connection to a remote command and control (C2) server to carry out its malicious activities by injecting overlays on the login and pay screens of specific applications.
These credential theft overlays have been found in banking applications operating in Europe, Australia, the US and Canada, as well as commercial, communication and commercial applications.
“The target list of non-financial apps contains famous apps like Tinder, TikTok, PlayStation, Facebook, Instagram, Skype, Snapchat, Twitter, Grinder, VK, Netflix, Uber, eBay, Amazon, Reddit, and Tumblr, among others.” they told The Hacker News.
This is not the first time that mobile malware has abused Android accessibility features.
Earlier this year, IBM X-Force researchers detailed a new TrickBot campaign, called TrickMo, which was found to be exclusively targeted at German users with malware misusing accessibility features to intercept one-time passwords (OTP). , Mobile TAN (mTAN) and pushTAN authentication codes
Then in April Cybereason discovered a different class of banking malware known as EventBot that took advantage of the same feature to filter confidential data from financial apps, read SMS messages from users, and hijack SMS-based two-factor authentication codes.
What makes BlackRock’s campaign different is the breadth of targeted apps, which go beyond mobile banking apps that are generally targeted.
“After Alien, Eventbot and BlackRock, we can expect financially motivated threat actors to build new banking Trojans and continue to improve existing ones,” the ThreatFabric researchers concluded.
“With the changes we hope to make to mobile banking Trojans, the line between banking malware and spyware becomes thinner [and] banking malware will pose a threat to more organizations. “
.
