On Thursday, cybersecurity experts uncovered a new strain of banking malware that steals data and passwords from not only banking apps but also from 337 non-banking Android apps such as social networking, cryptocurrency, and dating apps. In May of this year, ThreatFabric analysts discovered this malware dubbed BlackRock. After investigation, it was found that its source code is derived from the Xerxes banking malware, which is a strain of the LokiBot Android banking Trojan, first observed between 2016 and 2017.
The source code of the Xerxes malware was leaked by its author back in May of the year 2019, which indicates that any threat actor can now access the source code of this malware. It is pretty common to see a threat landscape being supplemented with new variants after the source code of malware becomes publicly accessible. However, no new malware based on Xerxes’ source code was observed, and it seems that BlackRock is the only Trojan based on this source code.
ThreatFabric in a blog post stated that the BlackRock Trojan undergo changes in its code and it also comes with an increased target list. It collects data by abusing the Accessibility Service privileges of Android. It seeks the permissions of users under the guise of fake Google updates when the victim first launches in on their device.
Eventually, BlackRock Trojan goes on to grant itself extra permissions, and then it establishes a connection with a remote C2 (command-and-control) server to execute its malicious activities. It injects overlays atop the sign in and payment screens of the targeted applications. These password-stealing overlays have been discovered on financial applications operating in the United States, Europe, Canada, and Australia, and shopping, business, and communication applications.
The cybersecurity experts at ThreatFabric explained that the target list on non-banking applications includes popular apps such as but not limited to Uber, Grinder, Twitter, Snapchat, Skype, Tumblr, Reddit, Amazon, and more.
This is not the first time the accessibility features of Android have been abused by smartphone malware. Researchers at IBM X-Force detailed a new TrickBot campaign earlier this year. The campaign is called TrickMo which was exclusively targeting German users with malware that abused Android’s accessibility features to intercept OTP, pushTan, and mTAN authentication codes.
Then in April of this year, Cybereason discovered a distinct class of banking malware called EvenBot. It also abused the same feature to exfiltrate sensitive information from banking apps, read messages of users, and hijack SMS-based 2FA codes. However, the sheer breadth of targeted apps makes the BlackRock campaign different from others. The list of targeted apps goes beyond smartphone banking applications. The cybersecurity researchers at ThreatFabric concluded that it is expected that financially motivated threat actors will now create new banking Trojans and they will continue to improve the existing Trojans such as Alien, BlackRock, and Eventbot.
Read next: Joker Malware Returns To Android Devices Through Play Store, Google Removed 11 Malicious Apps
The source code of the Xerxes malware was leaked by its author back in May of the year 2019, which indicates that any threat actor can now access the source code of this malware. It is pretty common to see a threat landscape being supplemented with new variants after the source code of malware becomes publicly accessible. However, no new malware based on Xerxes’ source code was observed, and it seems that BlackRock is the only Trojan based on this source code.
ThreatFabric in a blog post stated that the BlackRock Trojan undergo changes in its code and it also comes with an increased target list. It collects data by abusing the Accessibility Service privileges of Android. It seeks the permissions of users under the guise of fake Google updates when the victim first launches in on their device.
Eventually, BlackRock Trojan goes on to grant itself extra permissions, and then it establishes a connection with a remote C2 (command-and-control) server to execute its malicious activities. It injects overlays atop the sign in and payment screens of the targeted applications. These password-stealing overlays have been discovered on financial applications operating in the United States, Europe, Canada, and Australia, and shopping, business, and communication applications.
The cybersecurity experts at ThreatFabric explained that the target list on non-banking applications includes popular apps such as but not limited to Uber, Grinder, Twitter, Snapchat, Skype, Tumblr, Reddit, Amazon, and more.
This is not the first time the accessibility features of Android have been abused by smartphone malware. Researchers at IBM X-Force detailed a new TrickBot campaign earlier this year. The campaign is called TrickMo which was exclusively targeting German users with malware that abused Android’s accessibility features to intercept OTP, pushTan, and mTAN authentication codes.
Then in April of this year, Cybereason discovered a distinct class of banking malware called EvenBot. It also abused the same feature to exfiltrate sensitive information from banking apps, read messages of users, and hijack SMS-based 2FA codes. However, the sheer breadth of targeted apps makes the BlackRock campaign different from others. The list of targeted apps goes beyond smartphone banking applications. The cybersecurity researchers at ThreatFabric concluded that it is expected that financially motivated threat actors will now create new banking Trojans and they will continue to improve the existing Trojans such as Alien, BlackRock, and Eventbot.
Read next: Joker Malware Returns To Android Devices Through Play Store, Google Removed 11 Malicious Apps