Meet BlackRock, the Malware That Can Steal Passwords and Credit Card Data From Hundreds of Android Apps

BlackRock Android Malware

You may not be surprised that, like most things in the virtual world, malware constantly morphs and evolves. Hackers don't stop improving their malicious code, and sometimes, they copy features and modules from one or more strains, add some of their own functionality, and create brand new threats. Last week, researchers from Threat Fabric reviewed BlackRock, a newcomer to the Android threat landscape, and showed us how it all works sometimes.

BlackRock – the origins

BlackRock can trace its roots back to LokiBot, a once popular Android banking trojan that appeared in late-2016. Initially, LokiBot's author ran a malware-as-a-service operation and rented the trojan to other hackers willing to pay for it. At one point, however, the malware creator got banned from some of the popular underground forums, and their business suffered a massive blow as a result. Probably because of this, shortly thereafter, LokiBot's source code got leaked.

Threat actors didn't need a second invitation. In early-2018, they released MysteryBot – an improved version of LokiBot that worked better on newer Android devices and had more advanced information-stealing capabilities. Despite the upgrades, the hacking community wasn't impressed, and a few months later, a group of hackers decided to have another go. They took MysteryBot, added some new features, and released Parasite.

Unfortunately for them, Parasite never caught on, and it too faded into obscurity pretty quickly. The hackers hadn't completely given up, though. In May 2019, they released Xerxes, another upgrade of the same Android trojan. In true LokiBot tradition, Xerxes' authors wanted to sell access to the malware on the underground forums, but their fellow cybercriminals showed no interest in the trojan, and it was later released for free.

Crooks decided to give it yet another chance, however. A few months ago, they took Xerxes, added a few new features, and re-branded it as BlackRock.

A seemingly perfect combination of tried and tested techniques and new, advanced features

According to Threat Fabric's report, BlackRock poses predominantly as a Google Updates application and, for the time being at least, is downloaded exclusively from third-party websites and app stores. During the installation process, it asks for access to Android's Accessibility Services. Through them, it grants itself additional privileges and conducts the information-stealing operation by drawing overlays over other apps. This, it must be said, is not exactly revolutionary. Plenty of other Android malware families work in exactly the same way. The use of Android Work Profiles, however, is new.

Android Work Profiles can be used by companies to control employees' access while they're on the move. BlackRock's authors have realized that through the feature, they can create a new profile with administrative privileges and gain complete control over the device.

This puts them in a position to instruct the malware to execute all manner of commands sent by the Command & Control server (C&C). These include keylogging, sending and stealing text messages, running applications, retrieving and hiding push notifications, blocking anti-virus apps, etc.

BlackRock's authors target more than 300 applications

Of course, BlackRock's main purpose is to steal user information. More specifically, it's after usernames, passwords, and credit card details, and its mechanism for pilfering the data is pretty simple. It sees when the users are about to interact with one of the targeted applications, and it uses the permissions it has gathered to draw a fake login form or checkout page over the legitimate app. Usernames, passwords, and credit card details entered into the fake forms are sent to the C&C. The overlays are downloaded and stored on the device, and they impersonate the targeted applications rather well, which is not really surprising given the fact that BlackRock is based on LokiBot.

What is remarkable, however, is the enormous list of applications that the crooks are targeting. According to Threat Fabric, the target list contains no fewer than 337 apps. Most of them are related to European banks, but the researchers noted that the hackers are also after the users of some social networks and lifestyle applications. With these apps, the hackers are after credit card data rather than login credentials, and the experts think that their presence on the target list may have something to do with people's increased usage of such applications during the COVID-19 pandemic.

With BlackRock, the hackers are really casting the net wide, and they apparently think that this will make the new trojan more successful than its predecessors. Hopefully, this won't happen, and BlackRock will die just as quickly as Xerxes, Parasite, MysteryBot, and LokiBot.

July 20, 2020

Leave a Reply