BlackRock – New Android Malware Strain Targets 300+ Applications
Named BlackRock, a new Android malware strain has emerged that is capable of target over 330 Android applications with data theft capabilities. ThreatFabric first discovered this new strain in May of 2020, researchers believe this new strain was based on the leaked source code of another malware strain named ‘Xerxes.’ The threat actors behind BlackRock enhanced the original Xerxes source code to include additional features, with specific focus on the theft of user passwords and credit card information. Xerxes itself was also based off a previously discovered malware strain, one which began as LokiBot which was seen in 2016 and 2017.
BlackRock works like most Android banking Trojans, but it has the capability to target more apps than any of its predecessors. The Trojan will steal both login credentials, such as usernames and passwords, but will also prompt users to enter debit and credit card information if the financial transactions are supported by the applications. In a report published by ThreatFabric, researchers believe that the main purpose behind BlackRock is the theft of personal banking information and phishing of social media/communication applications. There do exist overlays within BlackRock that target dating, news, shopping, lifestyle, as well as some productivity applications as well. For a full report of the applications targeted by BlackRock, follow this link.
BlackRock abuses the Accessibility Service to show one of two malicious overlays to the user: one is a generic card grabber view and the other is specific depending on the targeted app, both of which are used phish for credentials. ThreatFabric also claims that the Trojan can perform other intrusive actions such as:
- Intercept SMS messages
- Perform SMS floods
- Spam contacts with predefined SMS
- Start specific apps
- Log key taps (keylogger functionality)
- Show custom push notifications
- Sabotage mobile antivirus apps
Thankfully, BlackRock has not been spotted on the official Google Play Store and can only be found as disguised as fake Google update packages being offered on third-party sites.
Seeing as many Android malware strains have found a way to bypass Google’s app review process, it is quite likely we will see this new strain of malware on the Google Play Store at some point in the future.
Sources: