Pierluigi Paganini July 17, 2020

Researchers spotted a new Android banking trojan dubbed BlackRock malware that steals credentials and credit card data from hundreds of apps.

Security experts from ThreatFabric have discovered a new Android banking trojan dubbed BlackRock that steals credentials and credit card data from a list of 337 apps.

The BlackRock malware borrows the code from the Xerxes banking malware, which is a strain of the popular LokiBot Android trojan.

The source code of the Xerxes malware was leaked online around May 2019.

Unlike other banking trojans, BlackRock targets several non-financial Android apps, most of them are social, communication, and dating platforms.

“one of the interesting differentiators of BlackRock is its target list; it contains an important number of social, networking, communication and dating applications. So far, many of those applications haven’t been observed in target lists for other existing banking Trojans.” reads the post published by ThreatFabric. “It therefore seems that the actors behind BlackRock are trying to abuse the grow in online socializing that increased rapidly in the last months due to the pandemic situation.”

The BlackRock malware poses itself as fake Google updates: camouflages itself as Google Update.

Upon launching the malware on the mobile device, it will start by hiding its icon from the app drawer, then it asks the victim for the Accessibility Service privileges. 

“Once the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional permissions,” continues the analysis. “Those additional permissions are required for the bot to fully function without having to interact any further with the victim. When done, the bot is functional and ready to receive commands from the C2 server and perform the overlay attacks.”

The malicious code supports multiple commands, it could launch overlay attacks, log keystrokes, send spam the victims’ contact lists with SMS messages, and prevent victims from using antivirus software.

Experts noticed that the Xerxes Trojan itself implements more features because the authors of the BlackRock malware have removed those ones that are not useful to steal personal information.

Unlike other Android malware that BlackRock uses the Android work profiles, which is used by businesses to define a device policy controller (DPC) in order to control and apply policies on their mobile fleet. The feature allows controlling multiple aspects of a device without having complete administration rights on them.

The malware targets 226 applications to steal account credentials, including Gmail, Google Play services, Uber, Amazon, Netflix and Outlook.

The list of targeted apps includes cryptocurrency wallet applications (i.e. Coinbase, BitPay, and Coinbase), and banks (i.e. Santander, Barclays, Lloyds, ING, and Wells Fargo).

“The second half of 2020 will come with its surprises, after Alien, Eventbot and BlackRock we can expect that financially motivated threat actors will build new banking Trojans and continue improving the existing ones,” ThreatFabric concludes.

“With the changes that we expect to be made to mobile banking Trojans, the line between banking malware and spyware becomes thinner, banking malware will pose a threat for more organizations and their infrastructure, an organic change that we observed on windows banking malware years ago.”

Pierluigi Paganini

(SecurityAffairs – hacking, BlackRock malware)

[adrotate banner=”5″]

[adrotate banner=”13″]