BlackRock Malware Steals Data from 337 Apps; Banking, Social and Mobile Apps

A new Android malware called BlackRock has appeared that can steal data from around 337 Android apps. This malware was discovered by a mobile security company called ThreatFabric and was first spotted in May 2020.

ThreatFabric researchers said BlackRock is based on the leaked source code of another malware strain known as Xerxes (Xerxes is also based on other malware strains). However, BlackRock has been beefed up with additional features, particularly ones that help steal passwords and credit card data, as per a report by ZDNet.

BlackRock, unlike other Android banking trojans, can target more apps, around 337 apps. It can steal login credentials and also prompt the victim to enter credit card details if the apps support financial transactions.

ThreatFabric says that BlackRock's data collection happens via a method called 'overlays' that includes detecting when a user is interacting with a legitimate app and shows a fake window on top that collects the login details and card data before allowing the user to begin to use the main genuine app.

Though, BlackRock has overlays for dating apps, shopping, lifestyle, news and productivity apps too. The apps list that BlackRock can target includes the Gmail, Uber, Twitter, Snapchat, Instagram etc.

BlackRock can also perform other 'intrusive' operations such as -

- Overlaying: Dynamic (Local injects obtained from C2)

- Keylogging

- SMS harvesting: SMS sending, listing and forwarding

- Device data collection and AV detection

- Remote actions: Screen-locking

- Self-protection: Hiding the app icon, averting removal

- Notifications collection and grant permissions

Currently, BlackRock is being distributed in the guise of fake Google update packages offered by third party sites and fortunately didn't turn up on the Google PlayStore yet.