Multiple researchers have voiced their concerns regarding the expansions of banking Trojans playing field to non-financial apps. And their concerns unfurled into reality when something similar happened with this new malware which expanded its scope—from its predecessor banking trojan Lokibot—to target major non-financial apps, including chat, dating, gaming, and social media apps.
The Discovery of BlackRock
Recently researchers have disclosed their findings on an Android banking trojan – BlackRock. According to these findings, BlackRock can steal credentials and credit card information from a list of 337 financial, networking, communication, dating, and social apps.
After requesting for accessibility service’ privileges by posing as a fake Google Update, BlackRock infects the device and hides its icon after that. BlackRock grants itself additional permissions, so it can fully function without requiring any further user interaction, once the initial privileges are obtained. Deflecting usage of antivirus or system cleaning software, performing perform overlay attacks, acting as a keylogger, spam, and stealing SMS messages, pushing system notifications to the C2 server are all included in its features.
List of Targeted Apps
Campaigns containing the BlackRock Trojan have been making the rounds for a long while, and it has now come with an extended credential theft target list.
BlackRock’s list of 226 apps targeted for credential theft includes Gmail, Microsoft Outlook, Google Play, Uber, Amazon, eBay, Netflix, Cash App, as well as multiple cryptocurrency wallet apps such as Coinbase, Binance, and Coinbase, and banks like Santander, Barclays, Royal Bank of Scotland, Lloyds, ING, and Wells Fargo, and many more.
111 applications find their way into its credit card theft target list, including but not limited to Twitter, Skype, Snapchat, Telegram, WhatsApp, Instagram, Facebook, Play Store, YouTube, VK, Reddit, TikTok, Mamba, Tinder, Badoo, and Grindr among others.
The Origin Story
Based on the leaked source code of the Xerxes trojan at the moment, BlackRock is the only known Android banking Trojan. It is derived from the code of the Xerxes banking malware, which is a strain of the LokiBot Android Trojan.
To read more, please check eScan Blog
