BlackRock Malware targeting email, social media and banking apps

BlackRock vulnerability is derived from the code of the Xerxes banking malware

New Android malware – BlackRock – is now targeting more apps than ever including email and social media apps as well as banking apps.

BlackRock is known to target apps like WhatsApp, Tinder, Twitter, Gmail, Skype, and Facebook among others. BlackRock is essentially derived from the code of the Xerxes banking malware, which itself is a strain of the LokiBot Android banking Trojan.

The source code of the Xerxes malware was made public by its author around May 2019, which means that it is accessible to any threat actor, according to cyber-crime and fraud prevention firm ThreatPost.

When the malware is first launched on the device, it appears as a fake notification pop-up and disappears from the app drawer. The malware then asks for accessibility permissions.

Once the accessibility is granted, the app grants itself the rest of the administrator permissions to function without any hindrance. The malware uses the smartphone’s accessibility feature and Android DPC (Device Policy Controller) for permissions. 

Once the BlackRock malware is successfully installed on a smartphone, it monitors the targetted app. As soon as the user enters his bank credentials, the information is sent to the server. The app can send and steal SMS, AV detection, keylogging, etc. 

BlackRock Target Apps

BlackRock malware is derived from banking malware but is not limited to only banking apps. It also targets other apps ranging from Lifestyle, Music, News, etc. and steals the passwords and other information on the apps. 

The researchers are of the view that BlackRock steals login credentials from 226 apps such as PayPal, Amazon, eBay, Gmail, Google Play, Uber, Yahoo Mail, Amazon, Netflix and more while the app steals bank details from 111 apps such as  Facebook Messenger, Google Hangouts, Instagram, PlayStation, Reddit, Skype, TikTok, Twitter, WhatsApp, YouTube and more. 

ThreatFabric state:

The Trojan will redirect the victim to the Home screen of the device if the victims try to start or use antivirus software as per a specific list including Avast, AVG, Bitdefender, ESET, Symantec, Trend Micro, Kaspersky, McAfee, Avira, and even applications to clean Android devices, such as TotalCommander, SD Maid or Superb Cleaner.