A new Android malware strain has emerged in the criminal underworld that comes equipped with a wide range of data theft capabilities allowing it to target a whopping 337 Android applications.
Named BlackRock, this new threat emerged in May this year and was discovered from mobile security firm ThreatFabric.
Researchers say the malware was based on the leaked source code of another malware strain (Xerxes, based itself on other malware strains) but was enhanced with additional features, especially on the side that deals with the theft of user passwords and credit card information.
BlackRock still works like most Android banking trojans, though, except it targets more apps than most of its predecessors.
The trojan will steal both login credentials (username and passwords), where available, but also prompt the victim to enter payment card details if the apps support financial transactions.
Per ThreatFabric, the data collection takes place via a technique called “overlays,” which consists of detecting when a user tries to interact with a legitimate app and showing a fake window on top that collects the victim’s login details and card data before allowing the user to enter the intended legitimate app.
In a report shared with ZDNet this week prior to publication, ThreatFabric researchers say the vast majority of BlackRock overlays are geared towards phishing financial and social media/communications apps. However, there are also overlays included for phishing data from dating, news, shopping, lifestyle, and productivity apps. The full list of targeted apps is included in the BlackRock report.
To show the overlays, BlackRock isn’t that unique, and, under the hood, BlackRock works like most Android malware these days and uses old, tried, and tested techniques.
Once installed on a device, a malicious app tainted with the BlackRock trojan asks the user to grant it access to the phone’s Accessibility feature.
The Android Accessibility feature is one of the operating system’s most powerful feature, as it can be used to automate tasks and even perform taps on the user’s behalf.
BlackRock uses the Accessibility feature to grant itself access to other Android permissions and then uses an Android DPC (device policy controller, aka a work profile) to give itself admin access to the device.
It then uses this access to show the malicious overlays, but ThreatFabric says the trojan can also perform other intrusive operations, such as:
- Intercept SMS messages
- Perform SMS floods
- Spam contacts with predefined SMS
- Start specific apps
- Log key taps (keylogger functionality)
- Show custom push notifications
- Sabotage mobile antivirus apps, and more
Currently, BlackRock is distributed disguised as fake Google update packages offered on third-party sites, and the trojan hasn’t yet been spotted on the official Play Store.
However, Android malware gangs have usually found ways to bypass Google’s app review process in the past, and at one point or another, we’ll most likely see BlackRock deployed in the Play Store.