Banking Malware Evolved: BlackRock now steals non banking credentials

July 21, 2020
blackrock banking malware antimalware solutions threat intelligence mobile app android

A stealthier and more lethal attack has been observed and reported by many cybersecurity experts roaming around the android phone user’s community. From the usual malware of infecting android phones to manifest infection targeting banking apps, pieces of evidence show that attackers also included other social media, online streaming, and shopping app on the list of infiltration.

The malware was tagged as BlackRock. The code used was from the innovative combination of Xerxes malware and LokiBot malware. Xerxes is mainly used to hack banking apps and Lokibot for data exfiltration, where both have the capability also as of spyware that heeds itself to the root directory of the android system to avoid any antivirus software interception. Once deployed and settled, the malware can now do its reconnaissance mission to steal a password. It takes not only for banking apps but also on cryptocurrency and social media credentials such as Instagram, Facebook, Tiktok, Tumblr, Tinder, Twitter, and other prominent apps like Amazon, Netflix, Uber, and eBay. This malware becomes more of a threat as this can also send to the attackers’ information about the installed applications, browsing history, contact list, data location, and intercept SMS or call logs of the compromised device. The magnitude of the attack was not specifically on a particular geographic location. Still, it was observed throughout the globe, which centers mainly in the US, Canada, Australia, and the most part in Europe.


Apart from the discovery of the BlackRock, they also reported the malware ‘TrickMo’ that was targeting online banking users in Germany that can infiltrate the multi-factor authentication code imposed by banks.


Adversaries of the malicious attack can obtain generated one-time-password sent by banks to the user’s registered mobile. Thus, in real-time can access the online banking of the victim stealthily. They even exceed on bypassing push notification of one-time password access that is sent exclusively through bank apps rather than sent thru SMS as long as the user is enrolled in this service. Similar to this modus is the recently discovered EventBot that was exposed on April targeting mainly financial apps such as HSBC, Santander, Paypal, Barclays, etc.

With its ingenuity, BlackRock malware is able to stand security imposed on mobile devices. Aside from tapping onto the main directory of the android system, it disguised itself as legitimate applications that request additional permissions. Such as accessing contacts, photos, and updating system information wherein unknowingly fallen victim may agree to it, giving perpetrators further command and control to a compromised device.

This exposure aims to showcase the innovation and ingenuity of malware and spyware evolution within mobile technology. The combination of notable successful separate attacks from the past can be reborn to a more fatal tool.  With this, a more agile and cautious approach is needed from app developers and users to avoid being a fallen victim of this malicious activity. Let alone, ensure apps to be downloaded came from a legitimate source and authorized by your financial institutions to secure its safety and free from any malware or spyware infection.

About the author

Leave a Reply