Image: ThreatFabric
A new Android banking Trojan named BlackRock steals credentials and credit card information from a list of 337 applications, many of them used for many non-financial purposes.
The malware was discovered in May by ThreatFabric analysts and is derived from the leaked source code of Xerxes banking malware, a known strain of the LokiBot Android Trojan.
In addition to being the only Android malware based on the Xerxes source code, BlackRock also has another quirk: Unlike other banking Trojans, it targets many non-financial Android apps, with a focus on social media, communication, networking and dating platforms.
BlackRock camouflages itself as Google Update to request the privileges of the Accessibility Service and will hide its icon when it is launched by one of its victims.
“Once the user grants the requested Accessibility Service privilege, BlackRock begins by granting additional permissions,” said ThreatFabric.
“Those additional permissions are necessary for the bot to work fully without having to interact with the victim anymore.”
Operators can then remotely control the malware to launch overlay attacks and issue a multitude of commands including logging keystrokes, spamming victims’ contact lists with text messages, setting malware as administrator Default SMS, send system notifications to the C2 server and block victims from starting or using antivirus or system cleaning software.
The creators of BlackRock have also ensured that there are no unnecessary features left in the Xerxes code, removing the capabilities that were not helpful in their goals to steal logins and financial information from infected Android devices.
The malware also uses Android job profiles to control the compromised device without requiring administrator permissions, but instead creates its own managed profile with administrator rights.
BlackRock’s credential theft target list of 226 apps includes Microsoft Outlook, Gmail, Google Play services, Uber, Amazon, Netflix, cash app as well as multiple crypto wallet apps like Coinbase, BitPay, Binance and Coinbase , and banks like Santander, Barclays, RBS, Lloyds, ING and Wells Fargo.
The credit card theft target list contains 111 apps including but not limited to Telegram, WhatsApp, Twitter, Skype, Instagram, Facebook, Play Store, YouTube, VK, Reddit, TikTok, Tinder, and Grindr.
“The second half of 2020 will come with its surprises, after Alien, Eventbot and BlackRock we can expect financially motivated threat actors to build new banking Trojans and continue to improve existing ones,” concluded ThreatFabric.
“With the changes we expect to see made to mobile banking Trojans, the line between banking malware and spyware becomes thinner, banking malware will pose a threat to more organizations and their infrastructure, an organic change we see in the Windows banking malware years ago. “
