The BlackRock Trojan is one of the newest Android Trojans which is rated by many to be one of the most dangerous threats to have been developed for Google’s mobile operating system. This is a banking Trojan which is believed to be derived from the code of Xerxes, one of the upgraded versions of LokiBot.
BlackRock Trojan Is The New Menace for Google’s Operating System
The BlackRock Trojan is a new dangerous Android malware which falls under the category of a banking Trojan. As the samples associated with it were not known to the security researchers an analysis was made on the collected samples. This has lead to an in-depth look showing that the threat is actually a very complex malware that was not known to this moment. Code snippets that have been found to be contained in it shows that the developers have taken several parts of the Xerxes banking Trojan which itself is based on LokiBot. Tracking the development of Xerxes shows that its code was made pubic last year — this means that any hacking group or individual malware developer could have accessed it and create their own derivative.
So far it seems that the BlackRock Android Trojan is the only complete derivative of Xerxes which in turn is based on LokiBot which for many years was one of the most dangerous examples of Android viruses.
The original LokiBot malware is now rarely being used by computer hackers in order to infect mobule devies however such deriatives are constantly being made by various hacking groups. BlackRock is distinct to most of the previous Android banking Trojans in the sense that it includes a very large targets list — addresses of networks of devices belonging to individual users and companies. The BlackRock Android Trojan uses the familiar tactic of infecting commonly installed applications with the necessary virus code. Examples are the following:
- Social Network Apps
- Messsenger Apps
- Dating Services
- Communications Programs
These virus-infected applications can be distributed using common distribution tactics. They can be the uploading of the dangerous apps to the official repositories using fake or stolen developer credentials. In this case the hackers may also place user comments and also upload large descriptions that promise new features additions or performance enhancements.
The complete list of hijacked BlackRock Trojan files lists the following names:
ayxzygxgagiqhdnjnfduerzbeh.hme.egybgkeziplb, cmbmpqod.bfrtuduawoyhr.mlmrncmjbdecuc, fpjwhqsl.dzpycoeasyhs.cwnporwocambskrxcxiug, onpekpikylb.bcgdhxgzwd.dzlecjglpigjuc, ezmjhdiumgiyhfjdp.bjucshsqxhkigwyqqma.gqncehdcknrtcekingi, com.transferwise.android
, com.paypal.android.p2pmobile, com.payoneer.android, com.moneybookers.skrillpayments.neteller, com.eofinance, com.azimo.sendmoney, clientapp.swiftcom.org, com.yahoo.mobile.client.android.mail, com.microsoft.office.outlook, com.mail.mobile.android.mail, com.google.android.gm, com.google.android.gms
, com.connectivityapps.hotmail, com.ubercab, com.netflix.mediaclient, com.ebay.mobile, com.amazon.sellermobile.android, com.amazon.mShop.android.shopping, com.moneybookers.skrillpayments, piuk.blockchain.android, jp.coincheck.android, io.ethos.universalwallet, id.co.bitcoin, com.wrx.wazirx, com.unocoin.unocoinwallet, com.squareup.cash, com.polehin.android, com.Plus500, com.payeer, com.paxful.wallet, com.paribu.app
, com.mycelium.wallet, com.exmo, com.coinbase.android, com.btcturk, com.bitpay.wallet, com.bitmarket.trader, com.bitfinex.mobileapp, com.binance.dev, com.airbitz, co.edgesecure.app, cc.bitbank.bitbank, uk.co.bankofscotland.businessbank, org.westpac.bank, org.banksa.bank, org.banking.tablet.stgeorge, net.bnpparibas.mescomptes, mobile.santander.de, com.speedway.mobile, com.rbs.mobile.investisir, com.rbs.mobile.android.ubr, com.rbs.mobile.android.rbsbandc, com.rbs.mobile.android.rbs, com.rbs.mobile.android.natwestoffshore, com.rbs.mobile.android.natwestbandc, com.rbs.mobile.android.natwest, com.phyder.engage, com.lloydsbank.businessmobile, com.ing.diba.mbbr2, com.ifs.banking.fiid4202
, com.ifs.banking.fiid3767, com.htsu.hsbcpersonalbanking, com.grppl.android.shell.BOS, com.garanti.cepbank, com.fi6122.godough, com.cb.volumePlus, com.barclays.android.barclaysmobilebanking, com.anzspot.mobile, com.anz.SingaporeDigitalBanking, com.anz.android,com.akbank.softotp, biz.mobinex.android.apps.cep_sifrematik, www.ingdirect.nativeframe, uy.com.brou.token, uy.brou, uk.co.tsb.newmobilebank, uk.co.santander.santanderUK, uk.co.hsbc.hsbcukmobilebanking, tr.com.sekerbilisim.mbank, tr.com.hsbc.hsbcturkey, softax.pekao.powerpay, posteitaliane.posteapp.apppostepay, pl.pkobp.iko, pl.orange.mojeorange, pl.mbank, pl.ing.mojeing, pl.ifirma.ifirmafaktury, pl.fakturownia, pl.com.rossmann.centauros, pl.ceneo, pl.bzwbk.bzwbk24, pl.allegro, pegasus.project.ebh.mobile.android.bundle.mobilebank, pe.com.interbank.mobilebanking, org.stgeorge.bank
, net.inverline.bancosabadell.officelocator.android, my.com.maybank2u.m2umobile, mobi.societegenerale.mobile.lappli, ma.gbp.pocketbank, jp.co.rakuten_bank.rakutenbank, it.popso.SCRIGNOapp, it.nogood.container, it.ingdirect.app
, it.copergmps.rt.pf.android.sp.bmps, it.bnl.apps.banking, hu.mkb.mobilapp, hu.cardinal.erste.mobilapp, hu.cardinal.cib.mobilapp, hu.bb.mobilapp, gt.com.bi.bienlinea, fr.lcl.android.customerarea, fr.creditagricole.androidapp, fr.banquepopulaire.cyberplus, finansbank.enpara, eu.unicreditgroup.hvbapptan, eu.eleader.mobilebanking.pekao.firm
, eu.eleader.mobilebanking.pekao, eu.eleader.mobilebanking.invest, es.univia.unicajamovil, es.pibank.customers, es.openbank.mobile, es.liberbank.cajasturapp, es.lacaixa.mobile.android.newwapicon, es.ibercaja.ibercajaapp, es.evobanco.bancamovil, es.cm.android, es.ceca.cajalnet, es.caixageral.caixageralapp, es.caixagalicia.activamovil, es.bancosantander.empresas, de.traktorpool, de.postbank.finanzassistent, de.number26.android, de.mobile.android.app, de.ingdiba.bankingapp, de.fiducia.smartphone.android.banking.vr
, de.dkb.portalapp, de.consorsbank, de.commerzbanking.mobil, de.comdirect.android, com.zoluxiones.officebanking, com.ziraat.ziraatmobil, com.ykb.android, com.wf.wellsfargomobile, com.vakifbank.mobile, com.uy.itau.appitauuypfcom.usbank.mobilebankingcom.usaa.mobile.android.usaa, com.unicredit, com.tmobtech.halkbank, com.tideplatform.banking, com.tecnocom.cajalaboral, com.teb, com.targo_prod.bad, com.suntrust.mobilebanking, com.starfinanz.smob.android.sfinanzstatus, com.snapwork.IDBI, com.scb.phone, com.sbi.SBIFreedomPlus, com.santander.bpi, com.rsi, com.rbc.mobile.android, com.quoine.quoinex.light, com.pttfinans, com.pozitron.iscep, com.oxigen.oxigenwallet, com.mobillium.papara, com.mobikwik_new
, com.magiclick.odeabank, com.lynxspa.bancopopolare, com.latuabancaperandroid, com.kuveytturk.mobil, com.kutxabank.android, com.krungsri.kma, com.konylabs.capitalone, com.kasikorn.retail.mbanking.wap, com.IngDirectAndroid, com.ingbanktr.ingmobil, com.infonow.bofa
, com.indra.itecban.triodosbank.mobile.banking, com.indra.itecban.mobile.novobanco, com.imaginbank.app, com.ideomobile.hapoalim, com.grupocajamar.wefferent, com.grppl.android.shell.halifax, com.grppl.android.shell.CMBlloydsTSB73, com.gmowallet.mobilewallet, com.garanti.cepsubesi, com.finanteq.finance.ca, com.empik.empikfoto, com.empik.empikapp, com.discoverfinancial.mobile, com.denizbank.mobildeniz, com.db.pwcc.dbmobile, com.db.pbc.mibanco, com.db.pbc.miabanca, com.db.mm.norisbank, com.csam.icici.bank.imobile, com.commbank.netbank, com.cm_prod.bad
, com.clairmail.fth, com.cimbmalaysia, com.cibc.android.mobi, com.chase.sig.android, com.cajasur.android, com.caisseepargne.android.mobilebanking, com.boursorama.android.clients,com.bmo.mobile, com.bcp.bank.bcp, com.bbva.nxt_peru
, com.bbva.netcash, com.bbva.bbvacontigo, com.bankinter.launcher, com.bankinter.empresas, com.att.myWireless
, com.ambank.ambankonline, com.albarakaapp, com.akbank.android.apps.akbank_direkt, com.aff.otpdirekt
, com.abnamro.nl.mobile.payments, com.abanca.bancaempresas, com.aadhk.woinvoice, ch.autoscout24.autoscout24, au.com.nab.mobile, au.com.ingdirect.android
, app.wizink.es, alior.bankingapp.android and com.finansbank.mobile.cepsube
We remind our users that it is not a requirement that the virus is build into these applications. For the most part they are well-known and legitimate services and exactly due to their popularity across Android users they have been used as payload carriers for the BlackRock Trojan.
BlackRock Trojan Capabilities: What Are Its Android Malware Functions?
As soon as the BlackRock Android Trojan is installed on a given device it will start a sequence of malicious actions. The process is hidden from the users and the dangerous payload carrier will be hidden from the app drawer. The second stage is to invoke a prompt which will ask the uses to allow privileges to an Accessibility Service process. This may appear as a legitimate system message and most users will automatically click on it and disregard it. At the moment the active campaign is using a Use Google Update fake message which will be spawned.
The given permissions will grant additional provileges giving additional access to the Trojan thus enabling all of its functions. The BlackRock Android Trojan will install a local client that will connect to a hacker-controlled server which will allow the criminals to carry out complex commands. At the moment the following malicious commands are supported:
- Send_SMS — This will send a SMS from the infected device
- Flood_SMS — This will continously send out SMS messages to a given number every 5 seconds
- Download_SMS — Copy of the SMS messages on the device will be sent to the hackers
- Spam_on_contacts — This will send out SMS messages to each of the recorded contacts on the device
- Change_SMS_Manager — This will set a virus app as the default SMS manager
- Run_App — This will run a specific application
- StartKeyLogs — This will start a keylogger module
- StopKeyLogs — This will stop the keylogger module
- StartPush — This will send out all notifications content to the hackers
- StopPush — This will stop sending out the notifications
- Hide_Screen_Lock — This will keep the device on the home screen
- Unlock_Hide_Screen — This will unlock the device from the home screen
- Admin — This will request the administrative privileges from the system
- Profile — This will add a managed administrator profile that will be used by the malware
- Start_clean_Push — This will hide all push notifications
- Stop_clean_Push — This will dismiss all active push notifications
The BlackRock Android Trojan includes all common features which are part of banking Trojans – the ability to hook up to system processes and hijack users data. Using the live connection which is made to the hacker-controlled server everything can be transmitted in real-time. The deployed keylogger functionality is particularly dangerous as it can track all users interactions.
Banking Trojans by design are designed to steal sensitive credentials from financial services by hijacking users credentials or monitoring their actions. There are a few possible scenarios which include the setting up of an overlay which will be placed on top of the login screens. If the victim users enter in their data it will be automatically forwarded to the hackers.
As most online banks and financial services use some sort of a two-factor authentication the Trojan can also capture SMS messages containing verification codes. The BlackRock Trojan also include the ability to counter installed security services by looking for their services and disabling them. This can include practically all important categories of applications: firewalls, intrusion detection systems, anti-virus programs and etc.
Like other popular Android Trojans it can create an identification code — this is done by a process that take various input data such as the hardware components, operating system variables and etc.
The attacks are still ongoing however the identity of the hacking group is not known. A lot of samples carrying the signatures of BlackRock have been identified which means that the campaign is still running.