Published: August 11, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
Android users are being targeted yet again with a malware strain that emerged from the deep Black. From under a BlackRock to be precise. It targets 337 Android applications and has been on the move since at least May of this year. It’s not completely new either. In fact, the researchers at ThreatFabric say it’s based on leaked source code for another strain known as Xerxes, which was created from Parasite, which was code from MysteryBot, which used code previously from LokiBot. Why reinvent the wheel, right?
Just a bit of a history lesson, in case you forgot, LokiBot tries to get access to financial accounts via banking and other financial apps. PayPal was a favorite, after which it used credentials to transfer money from the victim’s account to the scammer’s. BlackRock, however, goes further and targets non-financial apps such a dating and social networking. The assumption is that the attackers are looking for personal details rather than diverting funds, perhaps to perform more targeted and personalized attacks.
BlackRock is currently distributed as a fake Google update package from third-party sites. Avoid using those and get updates directly from the official Google sources. It will steal login credentials, but also ask for payment details too if the app the user is opening supports financial transactions. It uses “overlay” techniques, which essentially lay on top of a legitimate app, but show a fake window that collects the information when the user enters it.
Additionally, some popular types of apps targeted by this malware include:
Auto & Vehicles
Maps & Navigation
Media and communications
Music & Audio
Video Players & Editors
This is in no way an exhaustive list, but it certainly indicates that no particular type of app is left out.
There is some good news. First, the way these are downloaded to devices is via sideloading. This means to get them from sites other than the official app stores. If you just avoid that, you can avoid BlackRock. In addition, the apps will ask for permissions for administrative access. That should be a big red flag and should never be granted, with an extremely low number of exceptions. If you aren’t sure an app needs permission for something, just say no. You can always change it later if the app doesn’t work properly. That said, just don’t give any of them administrator access. They really don’t need it. That functionality is typically reserved for developers.
Other tasks it can perform include, intercepting SMS messages, spamming contacts, logging key taps, sabotaging antivirus apps, and more. It certainly hasn’t been hiding under any rocks.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org