An Android malware, dubbed “BlackRock”, it has the potential to “steal” banking and other confidential data of a user, believes country’s cyber security agency CERT-In. The advisory from the agency read that the malware can extract credentials and credit card information from over 300 apps such as email, e-commerce apps, social media apps, besides banking and financial apps.
The “attack campaign” of this ‘Trojan’ category malware is active globally, said the Computer Emergency Response Team of India (CERT-In), the national technology arm to combat cyber-attacks and guard Indian cyberspace. The BlackRock Android malware was initially reported by ThreatFabric earlier this month, and first spotted in May.
“It is reported that a new Android malware strain dubbed ‘BlackRock’ equipped with data-stealing capabilities is attacking a wide range of Android applications. The malware is developed using the source code of Xerxes banking malware which itself is a variant of LokiBot Android Trojan,” the advisory said.
The target list of this malware contains 337 applications including banking and financial applications, and also non-financial and well-known commonly used brand name apps on an Android device that focus on social, communication, networking and dating platforms.
“It can steal credentials and credit card information from over 300 plus apps like email clients, e-commerce apps, virtual currency, messaging or social media apps, entertainment apps, banking and financial apps etc,” the advisory said.
“When the malware is launched on the victim’s device, it hides its icon from app drawer and then masquerades itself as a fake Google update to request accessibility service privileges.”
Once this privilege is granted, it becomes free to grant itself additional permissions allowing it to function further without interacting with user. The malware is deadly as it has the capability to “deflect” majority of antivirus applications.
“Another feature of this Android Trojan is making use of ‘Android work profiles’ to control the compromised device without requiring complete admin rights and instead creating and attributing its own managed profile to gain admin privileges,” the advisory added.