A new strain of banking malware that looks familiar to BlackRock. This new malware strain has a wide range of data theft capabilities. BlackRock Trojan steal data from 337 Android applications.
The mobile security firm ThreatFabric discovered the new strain of banking malware in May 2020.
After investigation, researchers say that this newcomer malware was based on another malware strain known as Xerxes banking malware. While Xerxes is a strain of the LokiBot Android banking Trojan.
The Xerxes malware source code was published by its author in May 2019, which means that it is accessible to any threat actor.
The new malware strain has been enhanced with additional features. They steal the information of the user's credentials(logins and password). Moreover, they prompt the user to enter credit card details if the apps support financial transactions.
How the malware works
Firstly when malware is launched in the device, it hides from the app drawer, makes itself invisible to the user. Secondly, it will ask the user to grant permission for Accessibility Service privileges. When the user grants the request Accessibility Service privileges, it will automatically grant additional permission to itself. the additional permission allows the bot to fully function without any further permission of the user. Once all is done bot is ready to receive the commands from the server and perform overlay attacks.
But this malware access does not end here. ThreatFabric says the Trojan has other intrusive features such as:
- Intercept SMS messages
- Perform SMS floods
- Spam contacts with predefined SMS
- Start specific apps
- Log key taps (keylogger functionality)
- Show custom push notifications
- Sabotage mobile antivirus apps, and more
Overlay Attack
‘Overlay’ is a technique in which a fake window runs in the foreground of applications. Malware runs whenever a user interacts with a legit app, and a fake window appears on top that collects the user credentials.
BlackRock was using two types of overlay screens, one is a generic card grabber view and the other is credential phishing overlay.
BlackRock Trojan steal data from targeted apps
ThreatFabric researchers say, 337 unique applications in BlackRock's target lists. Most of the apps were not targeted by any banking malware before. This new malware has not targeted most financial-related apps or credit cards. However, they targeted apps that are related to Social, Communication, Lifestyle, and Dating apps.
When we talk about financial-related apps, the majority of the most targeted apps are banks in Europe, Australia, the USA, and Canada. But in financial apps, they were not only interested in the shopping, communication, and business apps, they also found some applications related to German online car selling services, Polish online shopping sites, and well-known email services. A detailed list of targeted apps is included in the BlackRock report.