IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

BlackRock banking Trojan targets Android apps

Trojan steals login credentials and credit card information and has targeted more than 300 apps

Researchers at ThreatFabric have released a report detailing their findings on BlackRock, the Android banking Trojan. Discovered in May, BlackRock steals login credentials and credit card information and has targeted 337 financial, communication, dating and social networking apps.

According to ThreatFabric, BlackRock poses as a fake Google Update and requests accessibility privileges. Once the Trojan gets the needed privileges, it grants itself additional permissions so it can function without requiring any further interaction with the device’s user. 

BlackRock can collect device information, perform overlay attacks, act as a keylogger, push system notifications to the C2 server, curb antivirus use and even prevent uninstallation.

ThreatFabric says BlackRock is based on Xerxes banking malware code, which was a strain of the LokiBot Android banking Trojan discovered in 2019. 

LokiBot was observed as rented malware between 2016 and 2017. The Trojan’s source code was later leaked. 

In 2018, MysteryBot, which included upgrades to the LokiBot Trojan so it worked on newer Android devices, was observed to be active. Parasite, MysteryBot’s successor, was also based on LokiBot, though it ultimately disappeared from the threat landscape, and Xeres replaced it in 2019. Fast-forward to May 2020, and BlackRock emerged.

“After investigation, it became clear that this newcomer is derived from the code of the Xerxes banking malware, which itself is a strain of the LokiBot Android banking Trojan. The source code of the Xerxes malware was made public by its author around May 2019, which means that it is accessible to any threat actor,” the report says.

“When source code of malware is leaked or made publicly accessible it is pretty common to see the threat landscape being supplemented with new malware variants or families based on the said code,” the report continued.

Thus far, BlackRock’s targets for credential theft have included the following apps:  

It’s also targeted various banking apps in an effort to steal credentials, including: 

  • Barclays
  • Santander
  • Royal Bank of Scotland
  • Lloyds
  • ING 
  • Wells Fargo. 

To steal credit card information, BlackRock has targeted a wide range of apps, including: 

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

'CryWiper' trojan disguises as ransomware, says Kaspersky
malware

'CryWiper' trojan disguises as ransomware, says Kaspersky

2 Dec 2022
Hyundai vulnerability allowed remote hacking of locks, engine
Security

Hyundai vulnerability allowed remote hacking of locks, engine

30 Nov 2022
Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022
Ransomware activity down 11% worldwide in Q3, but rise expected
ransomware

Ransomware activity down 11% worldwide in Q3, but rise expected

20 Oct 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022