Criminals continue to find new ways to try and steal data from our mobile devices, and the latest to appear is a new strain of Android malware capable of targeting 337 apps.
As ZDNet reports, the malware is called BlackRock and it was discovered by security company ThreatFabric. BlackRock isn’t exactly brand new, rather it’s derived from the leaked source code of the Xeres malware, which is a strain of the LokiBot banking trojan. What’s most worrying about BlackRock is the sheer number of apps it can target in an attempt to steal data.
Once installed on a device, BlackRock monitors and detects when one of the legitimate apps it targets is opened. At that point an “overlay” is popped up on screen which looks like the legitimate app, but is actually fake. The user, being none the wiser, enters their login and/or card details and BlackRock sends them off to a server while also returning the user to the legitimate app.
BlackRock manages to gain root access by asking for Accessibility Service privileges when it first gets installed. For now, it isn’t on the Play Store and is infiltrating devices by being offered as a fake Google Update on third-party stores. As ThreatFabric explains, “Once the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional permissions. Those additional permissions are required for the bot to fully function without having to interact any further with the victim. When done, the bot is functional and ready to receive commands from the C2 server and perform the overlay attacks.”
As well as the fake overlays, BlackRock is capable of keylogging, granting permissions, SMS harvesting and sending, screen locking, device information collection, notification collection, AV detection, and can both hide its app icon and preventing its own removal. The apps the malware targets cover the usual financial and social apps, but also spreads its net to include the categories of Books & Reference, Business, Communication, Dating, Entertainment, Lifestyle, Music & Audio, News & Magazine, Tools, and Video Players & Editors.
Clearly BlackRock is a very robust strain of malware, but it isn’t in the Google Play store yet, with the key word there being “yet.” ThreatFrabric concludes that, “we can’t yet predict how long BlackRock will be active on the threat landscape,” but goes on to say, “The most important aspect to take care of is securing the online banking channels, making fraud hard to perform, therefore discouraging criminals to make more malware.”