BlackRock Malware Steals Data From 337 Android Apps

Cybersecurity researchers today uncovered a new strain of banking malware that targets not only banking apps but also steals data and credentials from social networking, dating, and cryptocurrency apps—in total 337 non-financial Android applications on it's target list.

As ZDNet reports, the malware is called BlackRock and it was discovered by security company ThreatFabric. BlackRock isn't exactly brand new, rather it's derived from the leaked source code of the Xeres malware, which is a strain of the LokiBot banking trojan. What's most worrying about BlackRock is the sheer number of apps it can target in an attempt to steal data.

Once installed on a device, BlackRock monitors and detects when one of the legitimate apps it targets is opened. At that point an "overlay" is popped up on screen which looks like the legitimate app, but is actually fake. The user, being none the wiser, enters their login and/or card details and BlackRock sends them off to a server while also returning the user to the legitimate app.

BlackRock manages to gain root access by asking for Accessibility Service privileges when it first gets installed. For now, it isn't on the Play Store and is infiltrating devices by being offered as a fake Google Update on third-party stores. As ThreatFabric explains, "Once the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional permissions. 

Those additional permissions are required for the bot to fully function without having to interact any further with the victim. When done, the bot is functional and ready to receive commands from the C2 server and perform the overlay attacks."

As well as the fake overlays, BlackRock is capable of keylogging, granting permissions, SMS harvesting and sending, screen locking, device information collection, notification collection, AV detection, and can both hide its app icon and preventing its own removal. 

The apps the malware targets cover the usual financial and social apps, but also spreads its net to include the categories of Books & Reference, Business, Communication, Dating, Entertainment, Lifestyle, Music & Audio, News & Magazine, Tools, and Video Players & Editors.

Clearly BlackRock is a very robust strain of malware, but it isn't in the Google Play store yet, with the key word there being "yet." ThreatFrabric concludes that, "we can't yet predict how long BlackRock will be active on the threat landscape," but goes on to say, "The most important aspect to take care of is securing the online banking channels, making fraud hard to perform, therefore discouraging criminals to make more malware."

July 16, 2020