Image: ThreatFabric
A new strain of Android malware has emerged in the criminal underworld that comes equipped with a wide range of data theft capabilities that allow you to target the myriad of 337 Android apps.
Called BlackRock, this new threat emerged in May of this year and was discovered by mobile security company ThreatFabric.
The researchers say the malware was based on leaked source code from another strain of malware (Xerxes, based on other malware strains), but was enhanced with additional features, especially on the side that deals with stealing user passwords and credit card information.
Image: ThreatFabric
However, BlackRock still works like most Android banking Trojans, except that it targets more apps than most of its predecessors.
The Trojan will steal both login credentials (username and passwords), when available, but will also prompt the victim to enter payment card details if the apps support financial transactions.
According to ThreatFabric, data collection is done through a technique called “overlays,” which is detecting when a user tries to interact with a legitimate application and displaying a false window at the top that collects the login data and the victim’s card details before allowing the user to enter the intended legitimate application.
In a report shared with ZDNet this week before publication, ThreatFabric researchers say the vast majority of BlackRock overlays are geared towards phishing in financial and social media / communications applications. However, overlays are also included for phishing data from dating, news, shopping, lifestyle and productivity apps. The complete list of specific applications is included in the BlackRock report.
Image: ThreatFabric
To show the overlays, BlackRock is not that unique, and BlackRock actually works like most Android malware these days and uses old, tried and tested techniques.
Once installed on a device, a malicious application contaminated with the BlackRock Trojan asks the user to grant access to the Accessibility feature of the phone.
Android’s accessibility feature is one of the most powerful features of the operating system, as it can be used to automate tasks and even tap on behalf of the user.
BlackRock uses the Accessibility feature to grant access to other Android permissions, and then uses an Android DPC (device policy driver, also known as a job profile) to grant administrator access to the device.
Then use this access to show malicious overlays, but ThreatFabric says that the Trojan can also perform other intrusive operations, such as:
- Intercept SMS messages
- Flood SMS
- Spam contacts with predefined SMS
- Start specific applications
- Record keystrokes (keylogger functionality)
- Show custom push notifications
- Sabotage mobile antivirus applications and more
Currently, BlackRock is distributed disguised as fake Google update packages offered on third-party sites, and the Trojan has yet to be seen on the official Play Store.
However, Android malware gangs have generally found ways to bypass Google’s app review process in the past, and at one point or another, chances are we’ll see BlackRock implemented in the Play Store.
