A new strain of banking malware targeting not only banking apps but also steals data and credentials from social networking, dating and cryptocurrency apps were disclosed by security researchers.
There are 337 non-financial Android applications which have been targeted by this malware.
The researchers at ThreatFabric discovered the malware in May, which has been dubbed as BlackRock. Its source code is derived from a leaked version of Xerxes banking malware, which itself is a strain of the LokiBot Android banking trojan that was found during 2016-2017.
Some of its main features include stealing user credentials, intercepting SMS messages, hijacking notifications, recording keystrokes from the targeted apps and the ability to hide from antivirus software.
Social networking, communication and dating applications are usually not found on the target list of other existing banking Trojans.
BlackRock collects data by abusing Android’s Accessibility Service privileges while launching for the first time asking the users’ permissions under the disguise of fake Google updates.
It allows itself additional permissions and establish a connection with a remote command-and-control (C2) server to perform malicious activities by injecting overlays atop the login and payment screens of the targeted apps.
These credential-stealing overlays are found on banking apps operating in Europe, Australia, the US, and Canada, besides shopping, communication, and business apps.
Some of the non-financial apps included in the target list includes Tinder, TikTok, PlayStation, Facebook, Instagram, Skype, Snapchat, Twitter, Grinder, VK, Netflix, Uber, eBay, Amazon, Reddit and Tumblr.
BlackRock’s campaign is different from other malware’s due to its range of apps targeted, which go beyond the mobile banking apps that are usually targeted.
ThreatFabric researchers stated that financially motivated threat actors might build new banking Trojans and continue improving the existing ones.
Image Credits : Bank Info Security