BlackRock banking Trojan targets Android apps

Trojan steals login credentials and credit card information and has targeted more than 300 apps

Toy horse on a digital screen to symbolise the attack of the Trojan virus

Researchers at ThreatFabric have released a report detailing their findings on BlackRock, the Android banking Trojan. Discovered in May, BlackRock steals login credentials and credit card information and has targeted 337 financial, communication, dating and social networking apps.

According to ThreatFabric, BlackRock poses as a fake Google Update and requests accessibility privileges. Once the Trojan gets the needed privileges, it grants itself additional permissions so it can function without requiring any further interaction with the device’s user. 

BlackRock can collect device information, perform overlay attacks, act as a keylogger, push system notifications to the C2 server, curb antivirus use and even prevent uninstallation.

ThreatFabric says BlackRock is based on Xerxes banking malware code, which was a strain of the LokiBot Android banking Trojan discovered in 2019. 

LokiBot was observed as rented malware between 2016 and 2017. The Trojan’s source code was later leaked. 

In 2018, MysteryBot, which included upgrades to the LokiBot Trojan so it worked on newer Android devices, was observed to be active. Parasite, MysteryBot’s successor, was also based on LokiBot, though it ultimately disappeared from the threat landscape, and Xeres replaced it in 2019. Fast-forward to May 2020, and BlackRock emerged.

“After investigation, it became clear that this newcomer is derived from the code of the Xerxes banking malware, which itself is a strain of the LokiBot Android banking Trojan. The source code of the Xerxes malware was made public by its author around May 2019, which means that it is accessible to any threat actor,” the report says.

“When source code of malware is leaked or made publicly accessible it is pretty common to see the threat landscape being supplemented with new malware variants or families based on the said code,” the report continued.

Thus far, BlackRock’s targets for credential theft have included the following apps:  

It’s also targeted various banking apps in an effort to steal credentials, including: 

  • Barclays
  • Santander
  • Royal Bank of Scotland
  • Lloyds
  • ING 
  • Wells Fargo. 

To steal credit card information, BlackRock has targeted a wide range of apps, including: 

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Chipotle’s marketing email hacked to send phishing emails
phishing

Chipotle’s marketing email hacked to send phishing emails

29 Jul 2021
Dark web ads offering access to corporate networks increase sevenfold
hacking

Dark web ads offering access to corporate networks increase sevenfold

28 Jul 2021
Number of hacking tools increasing as cyber criminals become more organized
hacking

Number of hacking tools increasing as cyber criminals become more organized

28 Jul 2021
Criminals target Discord to spread malware
live chat

Criminals target Discord to spread malware

26 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021