New Android Malware BlackRock has capability of staling User passwords and bank card details from 337 Android apps


BlackRock Android Malware can be exploited to leak User passwords, bank details and card numbers from 337 Android Apps

Researchers have found yet another Android Malware that if exploited that it can leak personal user data and banking details. The experts have found a new Android Malware dubbed as BlackRock that has the capability of a wide range of data theft. According to the reports the malware targets the users from about 337 Android apps to exploit and perform a leak.

It is also known that the malware is based on the leaked source code of another malware strain (Xerxes, based itself on other malware strains) but was enhanced with additional features, especially on the side that deals with the theft of user passwords and credit card information.

In a report shared with ZDNet this week prior to publication, ThreatFabric researchers say the vast majority of BlackRock overlays are geared towards phishing financial and social media/communications apps. However, there are also overlays included for phishing data from dating, news, shopping, lifestyle, and productivity apps. The full list of targeted apps is included in the BlackRock report.

We also reported a similar Android Malware in the last week that allowed the attacker to steal user passwords and Credit Card details using an SMS. We also saw another Android Malware in the month of May where it was stealing credit card and banking details of the Users by showing a COVID-19 Label.

Now, this BlackRock Android Malware is found targeting banking, dating, social media, and instant messaging Android apps to steal personal data.

As BlackRock is based on the Xerxes banking Trojan, it is part of the LokiBot descendants which has several variants, as shown hereafter. LokiBot itself was first observed between the end of 2016 and the beginning of 2017 as rented malware. Sometime after the author of the Trojan got banned from underground forums, the source code of the Trojan was leaked.

When the malware is first launched on the device, it will start by hiding its icon from the app drawer, making it invisible to the end-user. As a second step, it asks the victim for the Accessibility Service privileges. Once the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional permissions.

Those additional permissions are required for the bot to fully function without having to interact any further with the victim. When done, the bot is functional and ready to receive commands from the C2 server and perform the overlay attacks.

BlackRock offers a quite common set of capabilities compared to average Android banking Trojans. It can perform the infamous overlay attacks, send, spam and steal SMS messages, lock the victim in the launcher activity (HOME screen of the device), steal and hide notifications, deflect usage of Antivirus software on the device and act as a keylogger.

Although BlackRock poses a new Trojan with an exhaustive target list, looking at previous unsuccessful attempts of actors to revive LokiBot through new variants, we can’t yet predict how long BlackRock will be active on the threat landscape. For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments