When a banking trojan variant expands its playing field to non-financial apps, things may get pretty frightening. Something similar happened with this new malware which expanded its scope—from its predecessor banking trojan Lokibot—to target major non-financial apps, including chat, dating, gaming, and social media apps.
Introducing BlackRock, the trickster trojan
- BlackRock poses as a fake Google Update to request ‘accessibility service’ privileges and hide its icon after infecting a device.
- Once the privileges are obtained, BlackRock grants itself additional permissions, so it can fully function without requiring any further user interaction.
- Its features include the ability to perform overlay attacks, act as a keylogger, spam and steal SMS messages, push system notifications to the C2 server, and deflect usage of antivirus or system cleaning software.
A long list of targeted apps
BlackRock campaigns have been going on for a longer period, and it has now come with an extended credential theft target list.
BlackRock’s list of 226 apps targeted for credential theft includes Gmail, Microsoft Outlook, Google Play, Uber, Amazon, eBay, Netflix, Cash App, as well as multiple cryptocurrency wallet apps such as Coinbase, Binance, and Coinbase, and banks like Santander, Barclays, Royal Bank of Scotland, Lloyds, ING, and Wells Fargo, and many more.
The credit card theft target list contains 111 applications including but not limited to Twitter, Skype, Snapchat, Telegram, WhatsApp, Instagram, Facebook, Play Store, YouTube, VK, Reddit, TikTok, Mamba, Tinder, Badoo, and Grindr among others.