A new strain of Android malware has emerged that can steal data from at least 337 Android apps. Called BlackRock, this malware was first spotted in May this year and discovered by a mobile security company called ThreatFabric.
Researchers at ThreatFabric said that BlackRock is based on the leaked source code of another malware strain called Xerxes (Xerxes itself is based on other malware strains). BlackRock, however, has been beefed up with additional features, especially ones that help steal passwords and credit card information, according to a report by ZDNet.
BlackRock works like most other Android banking trojans except that it can target more apps, 337 to be precise, than all its predecessors. It can steal both the login credentials and also prompt the victim to enter credit card details if the apps support financial transactions.
ThreatFabric says that BlackRock’s data collection was happens through a method called ‘overlays’ that involves detecting when an user is trying to interact with a legitimate app and showing a fake window on top that collects the login details and card data before allowing the user to actually start using the main legitimate app.
The security agency shared a report with ZDNet where researchers have said that a large majority of BlackRock overlays are concentrated towards phishing financial, social media and communication apps. However, BlackRock also has overlays for dating apps, shopping, lifestyle, news and productivity apps as well. The full list of the apps that BlackRock can target can be seen here and include the likes of Gmail, Uber, Twitter, Snapchat, Instagram etc.
BlackRock uses the Accessibility feature then on to grant itself access to other Android permissions and uses an Android DPC (a device policy controller, which is basically a work profile) to give itself admin access to the device. Then it uses this access to show the overlays. But it does on end here.
BlackRock can perform other ‘intrusive’ operations like –
– Overlaying: Dynamic (Local injects obtained from C2)
– SMS harvesting: SMS listing
– SMS harvesting: SMS forwarding
– Device info collection
– SMS: Sending
– Remote actions: Screen-locking
– Self-protection: Hiding the app icon
– Self-protection: Preventing removal
– Notifications collection
– Grant permissions
– AV detection
BlackRock is currently being distributed in the guise of fake Google update packages offered by third party sites and fortunately has not turned up on the Google PlayStore yet.
However, since older Android malwares have found a way to bypass Google’s app review process, it won’t be long before BlackRock is deployed on the Play Store.