A recent research by the cyber security experts identifies a new Android banking trojan named BlankBot, that is targeting to steal financial information. This malware exhibits advanced capabilities including screen recording, keylogging, and remote control. BlankBot malware is targeting the Turkish users and is still under development. Despite of this, the malware poses potential threat to its sophisticated design and evasion techniques.
Discovery and Analysis
BlankBot was discovered on July 24, 2024 by the Intel 471 Malware Intelligence, and found to be under active development, with abusing Android's accessibility services permissions to gain full control over the infected devices.
The malware logs information displayed on the device such as SMS messages, sensitive data, and the installed applications. It can also conduct custom injections to steal banking information, such as payment card data and device lock patterns.
It communicates with the control server with an HTTP GET request that includes device information, and subsequent communications occur over port 8080 through a WebSocket connection.
The names of some of the malicious APK files containing BlankBot are as below:
- app-release.apk (com.abcdefg.w568b)
- app-release.apk (com.abcdef.w568b)
- app-release.signed (14).apk (com.whatsapp.chma14)
- app.apk (com.whatsapp.chma14p)
- app.apk (com.whatsapp.w568bp)
- showcuu.apk (com.whatsapp.w568b)
BlankBot executes a session-based package installer, similar to Mandrake Android trojan, to bypass the restricted settings feature introduced in Android 13 to block sideloaded applications from directly requesting dangerous permissions such as installing applications from third-party sources.
The bot asks the victims to permit installing applications from the third-party sources, and thereafter retrieves the Android package kit (APK) file kept inside the application assets directory with no encryption and continue with the package installation process.
Capabilities of BlankBot
BlankBot has extensive capabilities that includes:
- Keylogging- It abuses accessibility services to intercept and send keystrokes via a custom virtual keyboard.
- Screen recording- Though, this feature is still under development, still it utilizes MediaProjection and MediaRecorder APIs to capture and save device screen videos as MP4 files.
- Custom injections- It can create customizable overlays to solicit banking credentials, personal information or payment card data. This makes use of external libraries such as CompactCreditInput and Pattern Locker View to execute these injection templates.
As soon as, the victim install the malware, it hides its icon and prompts the user for accessibility permissions with a tricky message. While the user provide these permissions, it shows a fake update screen while obtaining necessary permissions in the background.
The malware initially inject messages to entirely bypass the carrier network, and thereafter bypassing all the sopisticated network-based and anti-fraud filters.
How can you defend BlankBot?
BlankBot is primarily targeting Turkish users, by distributing it to expand to other regions, targeting the existing operators. The malware evades through various methods such as checking if the device is an emulator an maintaining persistence by preventing users from accessing settings or antivirus applications. Recently, it uses obfuscation and junk code to hinder reverse engineering techniques.
Android users are automatically protected against known versions of this malware by Google Play Protect, which warns users and block apps that contain this malware and even those apps that come from other sources outside of Play.
To mitigate the effect of the malware, users has option to disable 2G at the modem level and turn off null ciphers, The later one is an essential configuration for a False Base Station to inject an SMS payload.
Besides, Google is stepping up cellular security by alerting the users about their cellular network connection is unencrypted, if criminals are using cell-site simulators to snoop on users or send them SMS-based fraud messages.
To protect from the threat, users should regularly run Play Protect scans, and revoke risky permissions on newly installed apps. Users shall make sure, not to grant permissions to applications downloaded from third-party sources.
Want to start your learning journey on Cyber Security and Ethical Hacking field?
.png)
Comments
Post a Comment