A recently discovered Android Trojan named BlankBot is now targeting Turkish users in efforts to pilfer financial data, according to cybersecurity analysts.
“BlankBot is equipped with a variety of malicious functions, including customer injections, keylogging, screen recording, and it interacts with a control server via a WebSocket connection,” outlined Intel 471 in an analysis released last week.
Detected on July 24, 2024, BlankBot is reportedly in an active development phase, with the malware leveraging Android’s accessibility services permissions to gain complete authority over the compromised devices.
Below are some of the nasty APK files harboring BlankBot:
- app-release.apk (com.abcdefg.w568b)
- app-release.apk (com.abcdef.w568b)
- app-release-signed (14).apk (com.whatsapp.chma14)
- app.apk (com.whatsapp.chma14p)
- app.apk (com.whatsapp.w568bp)
- showcuu.apk (com.whatsapp.w568b)
Similar to the recently appeared Mandrake Android malware, BlankBot employs a session-based package installer to go around the constrained settings characteristic introduced in Android 13 to block sideloaded applications from directly soliciting risky permissions.
“The bot prompts the victim to allow app installations from third-party sources; it then retrieves the Android package kit (APK) file saved inside the application assets directory without encryption and proceeds with the installation procedure,” as per Intel 471.
This malicious software boasts an array of abilities including screen recording, keylogging, and overlay injections following specific commands from a remote server to snatch bank credentials, payment details, and even the device unlock pattern.
Furthermore, BlankBot can intercept SMS messages, uninstall unauthorized applications, and obtain information like contact lists and installed applications. It also utilizes the accessibility services API to obstruct access to device settings or launch antivirus tools.
“BlankBot is a fresh Android banking Trojan still in the development stage, evident from the various code variants found in different apps,” the security firm highlighted. “Nevertheless, the malware can execute malevolent operations once it infiltrates an Android device.”
Google clarified to The Hacker News that there are no instances of apps containing this malware on the Google Play Store.
“Android users are automatically safeguarded against known versions of this malware by Google Play Protect, which is active by default on Android devices equipped with Google Play Services,” the tech behemoth mentioned. “Google Play Protect alerts and blocks apps harboring this malware, even if they are sourced from external platforms apart from Play.”
This revelation coincides with Google’s announcement detailing the strategies it’s employing to counteract threat actors’ deployment of cell-site simulators like Stingrays to inject SMS messages directly into Android devices, a scam tactic known as SMS Blaster fraud.
“This approach of injecting messages completely bypasses the carrier network, dodging all the advanced network-based anti-spam and anti-fraud filters,” Google disclosed. “SMS Blasters set up a counterfeit LTE or 5G network that carries out a sole function: downgrading the user’s connection to a legacy 2G protocol.”
The countermeasures include a user choice to deactivate 2G at the modem level and disable null ciphers, a pivotal configuration for a False Base Station to facilitate injecting an SMS payload.
In an earlier action this May, Google also indicated intensifying cellular security by notifying users about unencrypted cellular network connections and possible exploitation by criminals using cell-site simulators to eavesdrop or dispatch SMS-based fraudulent messages.
(The article was updated post-publication to integrate a retort from Google.)
About Author
