New Android Malware BlackRock Targets Massive List of Common Android Apps

When a banking trojan variant expands its playing field to non-financial apps, things may get pretty frightening. Something similar happened with this new malware which expanded its scopefrom its predecessor banking trojan Lokibot—to target major non-financial apps, including chat, dating, gaming, and social media apps.

Introducing BlackRock, the trickster trojan

Recently, ThreatFabric researchers released a report about their findings on Android banking trojan - BlackRock. First identified in May 2020, BlackRock can steal credentials and credit card information from a list of 337 financial, networking, communication, dating, and social apps.

  • BlackRock poses as a fake Google Update to request 'accessibility service' privileges and hide its icon after infecting a device.
  • Once the privileges are obtained, BlackRock grants itself additional permissions, so it can fully function without requiring any further user interaction.
  • Its features include the ability to perform overlay attacks, act as a keylogger, spam and steal SMS messages, push system notifications to the C2 server, and deflect usage of antivirus or system cleaning software.

A long list of targeted apps

BlackRock campaigns have been going on for a longer period, and it has now come with an extended credential theft target list.
BlackRock's list of 226 apps targeted for credential theft includes Gmail, Microsoft Outlook, Google Play, Uber, Amazon, eBay, Netflix, Cash App, as well as multiple cryptocurrency wallet apps such as Coinbase, Binance, and Coinbase, and banks like Santander, Barclays, Royal Bank of Scotland, Lloyds, ING, and Wells Fargo, and many more.

The credit card theft target list contains 111 applications including but not limited to Twitter, Skype, Snapchat, Telegram, WhatsApp, Instagram, Facebook, Play Store, YouTube, VK, Reddit, TikTok, Mamba, Tinder, Badoo, and Grindr among others.

Origin of the malware

The malware has been derived from the code of the Xerxes banking malware (released in May 2019), which itself is a strain of the LokiBot Android banking trojan. BlackRock is the only known Android banking trojan based on the leaked source code of the Xerxes trojan at the moment.