In July of 2020, cybersecurity researchers discovered a strain of banking malware that targets not only banking apps but also steals info and credentials from another 337 non-financial apps including dating, social networking, and cryptocurrency applications. Known as “BlackRock,” the trojan’s source code is derived from a leaked version of the Xerxes banking malware, which itself is a variation of the LokiBot Android banking trojan that was first observed in 2016.
According to Threat Fabric, “Not only did the [BlackRock] Trojan undergo changes in its code, but also comes with an increased target list and has been ongoing for a longer period. It contains an important number of social, networking, communication and dating applications [that] haven’t been observed in target lists for other existing banking Trojans.”
BlackRock collects data by leveraging Android’s Accessibility Service privileges and seeks users’ permissions under the guise of phony Google updates when launched initially on the device. Subsequently, it grants itself additional permissions and establishes a connection with a remote command-and-control server that allows it to carry out malicious activities by injecting overlays atop the login and payment screens of the targeted applications.
This is not the first time mobile malware has abused Android’s accessibility features. In early 2020, IBM X-Force researchers detailed a new TrickBot campaign, called TrickMo, that was found targeting German users with malware that misused accessibility features to intercept one-time passwords (OTP), pushTan authentication codes and mobile TAN (mTAN).
One thing that makes BlackRock’s campaign unique is the sheer volume of the apps targeted, which go beyond mobile banking apps.
BlackRock is known to be able to intercept SMS messages, perform SMS floods, spam contacts with predefined SMS, start specific apps, show custom push notifications, sabotage mobile antivirus apps, and much more.