A new banking malware is spreading on Android devices right now. It uses the source code of the now inoperable malware Xerxes and an even older variant called LokiBot. With the malware, the hackers target apps that have already been manipulated in other malware campaigns.
A new banking malware is spreading on Android devices right now. It uses the source code of the now inoperable malware Xerxes and an even older variant called LokiBot. With the malware, the hackers target apps that have already been manipulated in other malware campaigns.
Operating systems are constantly evolving, but that is exactly what banking Trojans do when they try to establish themselves on these systems. When Trojans are hidden within apps, they are usually discovered before they can be distributed through official app stores. That's why cyber criminals usually offer them through unofficial app stores and shady websites.
When a new version of Android is released, the old malware will stop working. So new versions appear, mostly based on old code. The current BlackRock variant z. B. uses code elements, some of which are 4 years old.
ThreatFabric has investigated how BlackRock behaves when the malware has infected a device. As expected, all data can be manipulated. “When the malware is first running on the device, the first thing to do is hide the app icon so that the user doesn't notice it,” say the malware experts. “Next, the app asks the user to grant her rights for the Android accessibility features. It often disguises itself as a Google update. "
The accessibility feature on Android has a completely different purpose, but it is very comprehensive and is therefore often used by malware authors to obtain the necessary permissions.
BlackRock spies on credit card details and banking passwords
BlackRock can send SMS, send SMS copies of personal emails to control and command centers, launch apps at startup, force devices to show the home screen continuously, add a device administrator profile for the app, and much more.
Since it is a banking Trojan, it will attempt to access credit card details and banking passwords - either through form grabbing or with app-specific phishing overlays. The malware directs the user to files stored locally instead of the online version, and the data is then sent to the C&C center.
Many apps that are infected by the malware have nothing to do with finance, but are social media, text messaging or dating apps. A lot of data can be accessed here, which in turn can be useful in other campaigns. The targeted destinations are mainly European banks and users, followed by Australian and North American ones.
More on this on the blog at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de