This new Android malware called BlackRock can steal passwords, card data from 337 apps including Gmail, Uber

A new strain of Android malware has emerged that can steal data from at least 337 Android apps. Called BlackRock, this malware was first spotted in May this year and discovered by a mobile security company called ThreatFabric.

Researchers at ThreatFabric said that BlackRock is based on the leaked source code of another malware strain called Xerxes (Xerxes itself is based on other malware strains). BlackRock, however, has been beefed up with additional features, especially ones that help steal passwords and credit card information, according to a report by ZDNet.

BlackRock works like most other Android banking trojans except that it can target more apps, 337 to be precise, than all its predecessors. It can steal both login credentials and also prompt the victim to enter credit card details if the apps support financial transactions.

ThreatFabric says that BlackRock's data collection happens through a method called ‘overlays' that involves detecting when an user is trying to interact with a legitimate app and showing a fake window on top that collects the login details and card data before allowing the user to actually start using the main legitimate app.

The security agency shared a report with ZDNet where researchers have said that a large majority of BlackRock overlays are concentrated towards phishing financial, social media and communication apps. However, BlackRock also has overlays for dating apps, shopping, lifestyle, news and productivity apps as well. The full list of the apps that BlackRock can target can be seen here and include the likes of Gmail, Uber, Twitter, Snapchat, Instagram etc.

BlackRock at the base of it all works like older android malwares and uses tried and tested techniques to show the overlays and further data. Once installed on a device, BlackRock gets a malicious app to ask the user to grant it access to the phone's Accessibility features. And the Accessibility feature on Android is one of the most powerful as it can be used to automate tasks and ‘perform taps' on the behalf of the user.

BlackRock uses the Accessibility feature then on to grant itself access to other Android permissions and uses an Android DPC (a device policy controller, which is basically a work profile) to give itself admin access to the device. Then it uses this access to show the overlays. But it does on end here.

BlackRock can perform other ‘intrusive' operations like -

- Overlaying: Dynamic (Local injects obtained from C2)

- Keylogging

- SMS harvesting: SMS listing

- SMS harvesting: SMS forwarding

- Device info collection

- SMS: Sending

- Remote actions: Screen-locking

- Self-protection: Hiding the app icon

- Self-protection: Preventing removal

- Notifications collection

- Grant permissions

- AV detection

BlackRock is currently being distributed in the guise of fake Google update packages offered by third party sites and fortunately has not turned up on the Google PlayStore yet. 

However, since older Android malwares have found a way to bypass Google's app review process, it won't be long before BlackRock is deployed on the Play Store.