BlackRock Malware Steals Data from 337 Android Apps

Cyber criminals do not rest and are always vigilant to take advantage of any security breach they find on our devices. This time, a new threat has been detected, the BlackRock malware , which infects Android devices and is capable of stealing data from 337 applications.

BlackRock malware discovered by mobile security company ThreatFabric

This new malware emerged in May of this year, and has been detected thanks to the good work done by the mobile security company ThreatFabric. These researchers, after hard work, have discovered that the source code for the BlackRock malware is based on another strain of malware also known as Xerses. What its developers did is enhance it with additional features. In that sense, they focused on enhancing the theft of the passwords of the apps they used, and also on obtaining the credit card information of those users.

BlackRock Malware Steals Data from 337 Android Apps

Thanks to ThreatFabric, we have a scheme that explains how different types of malicious code have evolved over time to give rise to the birth of BlackRock malware.

blackrock-evolution.png

Making a review, we see that we started with LokiBot between 2016 and 2017, which in turn gave way to MisteryBot and Parasite in 2018. After these two, Xerses arrived in 2019, and as we have already mentioned before, it is a from the sources on which the BlackRock malware was based.

Now we are going to explain how Blackrock works, and in this sense we must comment that it works like most Android banking Trojans. However, this one has an important peculiarity that sets it apart from the others, and that is that it targets more applications than its predecessors. In this case, it indicates that it tries to steal data from 337 Android apps, which indicates its great potential and the obvious risk that we could have if our smartphone becomes infected.

How BlackRock Malware Works and Spreads

The operation is typical in these cases. The first step that the Trojan is going to take is to steal the login keys of those apps that we are using by collecting our username and passwords. Once this is done, the next thing you will do is ask the victim to enter the credit card details if the applications support financial transactions. Thus, with the data in his possession, the cybercriminal will be able to use it and obtain an economic return.

According to ThreatFabric, data collection is done using a technique called “overlays.” Thus, when it detects that a user wants to use a legitimate app, it opens a false window at the top. There, thanks to the data provided by the victim without being aware of the deception, the BlackRock malware collects the login data and the credit card data.

In a report shared by ThreatFabric, its researchers have commented that the vast majority of overlays of this malware intended to collect information are aimed at phishing communications, social media and financial applications.

Here you have some graphics that shows by categories which types of apps are most affected by BlackRock malware.

The way of operation would be as follows. Once the malware is installed on the device through a malicious application contaminated with the BlackRock Trojan, it will ask the user to grant the Accessibility permission on the phone. Thanks to the use of this permission that the victim has granted him, he will use it to automate tasks and even perform touches on behalf of the user.

BlackRock malware also uses the accessibility feature to grant itself access to other Android permissions. Then, in addition, it uses an Android DPC (device policy controller) to grant administrator access to the device or also known as root. However, this is only part of what you can do, you can also:

  • Intercept SMS messages.
  • Spam contacts with predefined SMS.
  • Start specific applications.
  • Show custom push notifications
  • Sabotage mobile antivirus applications and more.

Right now BlackRock malware is disguised as fake Google update packages, offered on third-party sites. Fortunately, this malicious software has not been detected in the Google Play Store. Finally, an important recommendation, and that prevents malicious software from being installed on our Android device, is only to download apps from the Google Play Store.