BlackRock malware can steal password, credit card details from 337 Android smartphone apps
Android malware creators use unique ways to bypass Google’s app review process. We saw how the Joker malware resurfaced by using one of the oldest tricks to bypass Google’s review process. Now, researchers from the mobile security firm, ThreatFabric have discovered a very unique and destructive malware named BlackRock.
BlackRock steals data such as password and credit card details from 337 apps including some of the popular ones like Gmail, Amazon, Netflix, Uber, and more. BlackRock is basically a is a banking Trojan and uses a modified Xerxes malware. Xerxes malware itself was a strain of the LokiBot Android trojan.
What differs in BlackRock is that despite being a banking Trojan, the malware can target non-financial Apps like Gmail, Amazon, etc. The process of infection is very unique. It pretends to be a Google Update at first, though after receiving user permissions, it hides its icon from the app drawer and executes itself ready for further instructions from its command and control server.
The researchers first spotted BlackRock malware in May 2020. Although the capabilities of the BlackRock malware are similar to those of average Android banking Trojans, it targets a total of 337 apps, which is significantly higher than any of the already known malicious code.
BlackRock collects data through a technique called “overlays”. It basically detects when a user interacts with a legitimate app and places a fake window on top that asks for login and credit card details. The victim usually enters the data thinking he/she is dealing with a legitimate App window.
Once the app is installed on a smartphone, BlackRock malware first asks the user to grant access to the phone’s Accessibility feature. It then users the Accessibility feature to grant itself access to other Android permissions. Once it has these permissions it accesses the Android DPC admin panel. Using the DPC admin panel, BlackRock creates display overlays to collect user credentials and credit card details. Those details are then exfiltrated to the command and control server.
ThreatFabric researchers say that BlackRock can also:
- –Intercept SMS messages
- Perform SMS floods
- Spam contacts with predefined SMS
- Start specific apps
- Log key taps (keylogger functionality)
- Show custom push notifications
- Sabotage mobile antivirus apps, and more
The report states that BlackRock is distributed as fake Google update packages offered on third-party websites and has not been spotted on Google Play Store yet. “In the case of BlackRock, the features are not very innovative but the target list has a large international coverage and it contains quite a lot of new targets which haven’t been seen being targeted before,” the researchers noted in the blog post.