BlackRock Android malware
Source: By Anuj Bhatia: The Indian Express
Security firm ThreatFabric has alerted about a new malware, called BlackRock, which can steal information like passwords and credit card information from about 377 smartphone applications, including Amazon, Facebook, Gmail and Tinder. Since these are very popular apps, the threat posed by the BlackRock Android malware is quite high.
BlackRock isn’t exactly a new malware. In fact, it is based on the leaked source code of the Xeres malware, itself derived from malware called LokiBot. The only big difference between BlackRock and other Android banking trojans is that it can target more apps than previous malwares.
BlackRock works like most Android malware. Once installed on a phone, it monitors the targeted app. When the user enters the login and/or credit card details, the malware sends the information to a server. BlackRock uses the phone’s Accessibility feature, and then uses an Android DPC (device policy controller) to provide access to other permissions.
When the malware is first launched on the device, it hides its icon from the app drawer, making it invisible to the end-user. It then asks for accessibility service privileges. Once this privilege is granted, BlackRock grants itself additional permissions required to fully function without having to interact any further with the victim. At this point, the bot is ready to receive commands from the command-and-control server and execute overlay attacks.
But BlackRock isn’t limited to online banking apps and targets general purpose apps across various categories of Books & Reference, Business, Communication, Dating, Entertainment, Lifestyle, Music & Audio, News & Magazine, Tools, and Video Players & Editors.
The researchers noted that BlackRock steals credentials such as usernames and passwords from 226 apps, including PayPal, Amazon, eBay, Gmail, Google Pay, Uber, Yahoo Mail, Amazon and Netflix, among others. In addition, the malware steals credit-card numbers from an additional 111 apps, including Facebook Messenger, Google Hangouts, Instagram, PlayStation, Reddit, Stype, TikTok, Twitter, WhatsApp and YouTube.
ThreatFabric says the malware can be used to send and steal SMS messages, hide notifications, keylogging, AV detection, and much more.
The new malware is so powerful that it makes antivirus applications useless. “The Trojan will redirect the victim to the HOME screen of the device if the victims tries to start or use antivirus software as per a specific list including Avast, AVG, Bitdefender, ESET, Symantec, Trend Micro, Kaspersky, McAfee, Avira, and even applications to clean Android devices, such as TotalCommander, SD Maid or Superb Cleaner,” ThreatFabric explains in its blog.
Right now, the trojan is yet to be spotted on Google Play Store and is distributed as a fake Google Update on third-party stores. Your best bet is to download apps only from the Google Play Stores, use strong passwords, beware of spam and phishing emails, use an antivirus app if possible, and check app permissions. A patch could be on the way.
