Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed

Search

Threat Actors Using Fake App Website to Infect Android Phones With BlackRock Trojan

A new malicious app is being advertised that is pretending to be an Android version of the Clubhouse Application, which currently only available on iOS. Clubhouse is an invitation-only audio chat app that allows users to listen in on conversations in real-time. ESET researchers discovered the fake Android application being distributed through a cloned Clubhouse website. the cloned website uses a link labeled “Get it on Google Play,” though the application has been blocked by the Google Play security functions. The button is being used to trick people into believing the application is coming from the Google Play store. Once downloaded, the malicious application will download a malicious .APK that deploys the BlackRock banking trojan. The trojan was discovered in 2020 and was traced back to Xerxes and LokiBot, both of which had source code leaked online. The Trojan can intercept and tamper with SMS messages, hide notifications, redirect users to their device’s home screen if they attempt to run antivirus software, and can be used to remotely lock screens. Not only can BlackRock steal device information and text messages, but it can also steal content from approximately 458 online services.

Analyst Notes

The trojan’s main goal is credential harvesting, targeting applications such as Facebook, Amazon, Netflix, Twitter, Cash App, and other financial institutions. As with all accounts set up by people, Multi-Factor Authentication (MFA) should be in place. It is highly recommended to set up MFA through a trusted third-party authenticator app and not utilize SMS (text messages) for MFA. In this case, MFA that is set up through SMS messages would be compromised as well, because the trojan can intercept SMS messages. It is also advised that applications only be downloaded through trusted app stores such as the Google Play Store on Android. Whenever downloading an application advertised on a website, it is a good idea to navigate to the Play Store application and search for the app there. If it does not appear, it could be malicious. For companies struggling with the fear of their website being cloned and used for malicious purposes, the Binary Defense Counterintelligence team utilizes various sources to conduct domain monitoring and searching for fake websites and look-alike email services on behalf of companies.
More can be read here: https://www.zdnet.com/article/fraudsters-jump-on-clubhouse-hype-to-push-malicious-android-app/