A new strain of Android banking malware that can steal information from an estimated 337 apps, including Amazon, Facebook, Gmail and Tinder, has been discovered by security researchers.
The malware, dubbed BlackRock, was identified by cybersecurity firm ThreatFabric in May and has links to another strain of malware.
When investigating BlackRock, the researchers said it “looked pretty familiar” and went on to find that it used the source code of the Xerxes malware, itself derived from malware called LokiBot, as reported by ZDNet.
ThreatFabric said the source code “was made public by its author around May 2019” and was “accessible to any threat actor”. The firm also believes that BlackRock is the only banking Trojan currently using this source code.
What’s interesting about BlackRock is that even though it has adopted source code from Xerxes, the hackers tweaked the code, have more targets and have been operating for longer.
It also widens the scope of its attacks beyond online banking apps to general-purpose apps.
BlackRock steals credentials such as usernames and passwords from 226 apps, including Amazon, Cash App, eBay, Gmail, Google Play, Hotmail, Instagram, Microsoft Outlook, myAT&T, Netflix, PayPal, Uber and Yahoo Mail, as well as a whole lot of banking and cryptocurrency apps.
It steals credit-card numbers from an additional 111 apps, including Facebook, Facebook Messenger, Google Hangouts, Grindr, Instagram, Kik, Periscope, Pinterest, PlayStation, Reddit, Skype, Snapchat, Telegram, TikTok, Tinder, Tumblr, Twitter, Viber, the Russian social network VK, WhatsApp, WeChat and YouTube.
Beware seemingly legitimate apps
Like many strains of malware, BlackRock masquerades as seemingly legitimate apps and asks users to grant various permissions so that it can then steal device data.
“When the malware is first launched on the device, it will start by hiding its icon from the app drawer, making it invisible to the end-user. As [a] second step it asks the victim for the Accessibility Service privileges,” wrote the researchers in a blog post.
“Once the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional permissions. Those additional permissions are required for the bot to fully function without having to interact any further with the victim. When done, the bot is functional and ready to receive commands from the C2 [command-and-control] server and perform the overlay attacks.”
After being granted various permissions, the hackers can then use the malware to send and download text messages, run apps, access notifications and unlock the infected phone among other commands.
The Trojan also renders antivirus applications useless.
According to ThreatFabric: “The Trojan will redirect the victim to the HOME screen of the device if the victims tries to start or use antivirus software as per a specific list including Avast, AVG, Bitdefender, ESET, Symantec, Trend Micro, Kaspersky, McAfee, Avira, and even applications to clean Android devices, such as TotalCommander, SD Maid or Superb Cleaner.”
It says that other abilities include:
- Overlaying: Dynamic (Local injects obtained from C2)
- SMS harvesting: SMS listing
- SMS harvesting: SMS forwarding
- Device info collection
- SMS: Sending
- Remote actions: Screen-locking
- Self-protection: Hiding the App icon
- Self-protection: Preventing removal
- Notifications collection
- Grant permissions
- AV detection
Perhaps more alarming is that BlackRock harvests account information such as usernames and passwords. And using a method known as “overlays”, it encourages users to reveal their credit card information.
These overlays were used for a range of apps, including business, messaging, dating, entertainment, finance, lifestyle, news, social media and more.
The Trojan isn’t believed to be active on the Google Play Store. Instead, it hides in spoofed Google update packages via third-party websites.
To protect yourself, you should make sure that you download apps only from reputable sources (e.g the Play Store), read app reviews, use unique passwords and check app permissions.