Threat Watch

New BlackRock Android Trojan is Successor to Xerxes, LokiBot

Analysts at ThreatFabric have recently discovered a new Android banking Trojan they are calling “BlackRock.” After their analysis, they determined it to be based on the source code of Xerxes, another banking malware which is a descendant of LokiBot. When BlackRock starts, it will hide its icon from the app drawer and then ask the victim to grant it Accessibility Service privileges on the device. To look convincing, the app disguises itself as a Google update. If the victim allows the app Accessibility Privileges, BlackRock starts granting itself other privileges needed for the bot to fully function. There are a number of commands that bots can receive, including:

  • Sending or flooding SMS messages
  • Sending SMS messages to a Command and Control server (C2)
  • Setting itself as the default SMS manager
  • Run another app
  • Start/stop key logging
  • Sending notifications to a C2
  • Add an administrative profile to the device

While Xerxes and LokiBot were strictly banking Trojans, BlackRock seems to have expanded its reach to target other applications that may ask users for payment details as well. ThreatFabric has discovered 337 unique applications being targeted with generic card grabbing overlays to trick victims into giving away credit card information.

ANALYST NOTES

Analyst Notes: Always use the official Google Play store when installing apps for an Android device. While no methods are perfect, Google has many automated and manual efforts in place to catch malicious activity on their store. Before installing an application, also verify that the name of the publisher is a company or person expected to have ownership of the app.