A new malware targeting Android devices has begun circulating after it emerged from the criminal underworld. It has a ton of malicious capabilities that allows it to steal data from a worrying 337 applications.
This malware strain is named BlackRock, and it was first found by the mobile security firm ThreatFabric in May of 2020.
What Is The Android Malware BlackRock?
Security researchers claim that the malware's code is based on another strain of malware's leaked source code that's named Xerses, which was also based on other malware strains. However, it has been upgraded with more features, where most of the new features focus on stealing people's credit card information and account credentials.
If you've heard of an Android banking trojan, then BlackRock works like most of them. But this particular strain infects more apps than a majority of the strains before it.
This trojan aims to take usernames and passwords wherever possible, but it also gets victims to input their payment card information if the app they're using handles financial transactions, such as shopping or banking apps.
According to ThreatFabric, the data collection technique that the trojan uses takes advantage of overlays. When a user attempts to interact with an official app, the trojan displays a fake window as an overlay that collects the information that the victim enters into it, like card information and login credentials. Then, they use that information and push it through to the official app as if nothing happened.
A report from ZDNet stated that ThreatFabric's researchers found out that most of the BlackRock's overlays are designed to phish financial, social media, messaging, and communication apps. But there are also overlays for phishing data from news, lifestyle, productivity, dating, and shopping apps. If you want to find out what apps were targeted, you can see the BlackRock report's full list.
What Does BlackRock Do?
BlackRock isn't unique in the way that it displays its overlays. Within the code, BlackRock works like most malware these days, and it takes advantage of techniques that have been used for a long time.
When BlackRock makes its way onto a device, a malicious app infected with the trojan will ask the user to give access to the device's Accessibility feature, which is one of the most advanced features of the Android operating system. It can be used to perform taps without the user having to touch the screen, and it can automate numerous tasks.
The trojan uses the Accessibility feature to get access to several other permissions on the device then it uses an Android device policy controller, a work profile, to gain admin privileges to the device.
This process is how BlackRock gets to show its overlays. Still, ThreatFabric states that it can do many other malicious operations, which includes reading and sending text messages, logging keystrokes, starting specific apps, showing custom notifications, infecting antivirus apps, and much more.
As of this article's writing, the BlackRock malware is being distributed under the guise of being a Google update package. It is currently found on third-party sites, and the trojan hasn't discovered its way onto the official Play Store. But hackers have found a way to bypass the app review process before, which means BlackRock might appear in the Play Store soon.
[BLOG] New Android banking #Trojan based on the infamous LokiBot that includes overlays for widely used dating, social, communication, crypto and financial apps.https://t.co/MARQO11BXv#Malware is on the rise, but we have mobile #ThreatIntel #MTI — ThreatFabric (@ThreatFabric) July 16, 2020