Nasty Android Malware Attacks Facebook, Gmail and More - What to Do

Nasty Android Malware Attacks Facebook, Gmail and More - What to Do

A new strain of Android banking malware capable of stealing information from an estimated 337 apps, including Amazon, Facebook, Gmail, and Tinder, has been discovered by security researchers.

Named BlackRock, the malware was identified in May by cybersecurity firm ThreatFabric and has been linked to another strain of malware.

Upon investigating BlackRock, researchers said it "looked pretty familiar" and found that it used source code from the Xerxes malware, which itself was derived from a malware called LokiBot, as reported by ZDNet.

ThreatFabric states that this source code was "released by the author around May 2019" and is "accessible to any threat actor." The company also believes that BlackRock is the only banking Trojan currently using this source code.

What is interesting about BlackRock is that despite adopting Xerxes' source code, hackers have tweaked the code, have more targets, and have been active longer.

They have also extended the scope of their attacks to general-purpose apps, not just online banking apps.

BlackRock has targeted Amazon, Cash App, eBay, Gmail, Google Play, Hotmail, Instagram, Microsoft Outlook, myAT&T, Netflix, PayPal, Uber, and Yahoo Mail, including 226 apps, as well as stealing credentials such as usernames and passwords, as well as banking and cryptocurrency apps.

Facebook, Facebook Messenger, Google Hangouts, Grindr, Instagram, Kik, Periscope, Pinterest, PlayStation, Reddit, Skype, Snapchat, Telegram, TikTok, Tinder, Tumblr, Twitter, Viber, Russian social network VK, WhatsApp, WeChat, YouTube, and 111 more apps to steal credit card numbers.

Like many malware, BlackRock disguises itself as a seemingly legitimate app, asking users for various permissions and stealing data from their devices.

"When this malware first launches on a device, it first hides its icon from the app drawer, making it invisible to the end user. As a second step, the malware requests accessibility service permissions from the victim," the researchers wrote in a blog post. [Once the user grants the requested accessibility service permissions, BlackRock begins by granting additional permissions to itself. These additional permissions are necessary for the bot to function fully without further interaction with the victim. Once this is done, the bot is functional and ready to receive commands from the C2 (command-and-control) server to perform overlay attacks.

After various permissions are granted, hackers can use the malware to execute commands such as sending and downloading text messages, running apps, accessing notifications, and unlocking infected phones.

The Trojan also renders antivirus applications unusable.

According to ThreatFabric, this Trojan renders antivirus applications unusable: "The Trojan horse has been used by victims Avast, AVG, Bitdefender, ESET, Symantec, Trend Micro, Kaspersky, McAfee, Avira, and even TotalCommander, SD Maid, Superb Cleaner, and other applications that clean Android devices. redirected to the device's home screen.

Other capabilities include:

Perhaps more alarming is that BlackRock collects account information such as usernames and passwords. It then uses a method known as an "overlay" to encourage users to disclose their credit card information.

These overlays were used in a variety of apps, including business, messaging, dating, entertainment, financial, lifestyle, news, and social media.

The Trojan is not believed to be active on the Google Play store. Instead, it lurks in spoofed Google update packages via third-party websites.

To protect yourself, you should only download apps from trusted sources (such as the Play Store), read app reviews, use unique passwords, and check app permissions.

Categories