The BlackRock Malware
A group of cyber criminals has recently released a new Android malware strain, armed with a full spectrum of data theft tools. According to security researchers, this new malware, that has been named BlackRock, can hit 337 Android applications and can steal the data of the millions users that are using them.
BlackRock has first been spotted in May this year by the mobile security firm ThreatFabric. According to the researchers from the company, the new Android malware is based on the source code of another malware strain known as “Xerxes”. However, the analysis shows that BlackRock has been upgraded with additional malicious features, specialized in theft of user passwords and credit card information.
In general, BlackRock functions like most of the Android banking Trojans. The only difference is that it can target much more apps. As soon as it sneaks in the system, this malware will steal login credentials (both usernames and passwords) and, wherever possible, it will prompt the victim to insert its card payment details, most often in apps that support online payments.
The researchers from ThreatFabric explain that the data collection happens via a technique called “overlays”. This technique allows the criminals to detect when a user tries to connect to a given legitimate app in order to display a fake window on top of that app that collects login information and card payment details from the user before he enters the legitimate app he wants.
The majority of BlackRock overlays are aimed at phishing data from financial and social media and instant messaging applications. However, shopping, dating, news, lifestyle and productivity applications are often a target of this malware as well.
Unfortunately, BlackRock is not the only malware to display overlays. It uses well-known, tried and tested methods that are well implemented by most types of malware that target Android devices.
If a malicious app, compromised with the BlackRock Trojan is installed on a smartphone, it firstly requests the user to provide it with access to the phone’s Accessibility feature. This feature is one of the most powerful features in the Android operating system because those who have access to it can automate tasks and even perform different taps on behalf of the user.
The Accessibility feature is exploited by BlackRock to gain access to other internal Android permissions, including the Android DPC (Device Policy Controller) that gives the malware admin access to the compromised device. This allows BlackRock to display its malicious overlays.
ThreatFabric researchers, however, warn that, aside from displaying overlays to steal data, the Trojan may also perform other harmful activities such as:
- Start specific applications without user interaction
- Operate as keylogger and log key taps
- Display custom pop-ups and push notifications
- Disable mobile antivirus software
- Spam user contacts with malicious SMS and more.
Android users should know that, currently, BlackRock is masked as bogus Google upgrade kits and distributed by third-party websites. Fortunately, the Trojan has not been found on the official Play Store yet. Nevertheless, in the past, advanced Android malware strains have discovered ways of circumventing the Google’s app verification process, so it isn’t excluded that we see BlackRock sneaked in the Play Store sooner or later.