A new strain of Android malware called BlackRock has appeared in the criminal underworld and comes equipped with a wide range of data theft capabilities that allow it to target 337 Android applications.
This new threat appeared in May this year and was discovered by the mobile security company ThreatFabric.
Researchers say the malware was based on leaking the source code of another malware (Xerxes, based on other malware) but was enhanced with additional features, especially in terms of stealing user passwords and credit card information.
BlackRock still works like most trojan Android banking, in addition to targeting more applications than most of its predecessors.
The trojan will also steal the login credentials (username and password), where available, but will also ask the victim to enter the payment card details if the applications support financial transactions.
For ThreatFabric, data collection is done through a technique called "overlays", which is applied when the user tries to interact with a legitimate application and displays a fake window at the top that collects the login details and data of the victim card before allowing the user to enter them into the intended legal application.
In a report released this week, ThreatFabric researchers report that the vast majority of BlackRock overlays focus on financial and phishing applications. social media. However, overlays are also included for data phishing from dating, news, shopping, lifestyle and productivity applications.
Apart from the overlays, BlackRock is not as unique as it works like most Android malware these days and uses old and tried and tested techniques.
Once installed on a device, a malicious application infected with the BlackRock trojan asks the user to grant access to the feature accessibility of the phone.
The Android Accessibility feature is one of the most powerful features of the operating system, as it can be used to automate tasks and even perform "clicks" on behalf of the user.
BlackRock uses Android Accessibility to access others royalties Android and then uses an Android DPC (device policy controller, also known as a job profile) to give itself administrator access to the device.
It then uses this access to display malicious overlays, but ThreatFabric says that the trojan can also perform other annoying functions, such as:
- Monitoring of SMS messages
- Spam with predefined SMS
- Launch specific applications
- Keylogger function
- Display custom push notifications
- To sabotage antivirus apps
At the moment, BlackRock is being disguised as a fake Google update package offered on third-party sites and has not yet been spotted on the official Play Store.
However, Android malware gangs have found ways to bypass Google's control of the app, and at some point we will probably see BlackRock released on Play Store.