This Android malware can steal your banking info from WhatsApp, Google Pay, SBI, ICICI, Amazon, and 332 other apps

Highlights
  • BlackRock malware can read everything you type on your smartphone
  • It can steal your credit card information, netbanking login, and more
  • It doesn’t let antivirus apps download on your smartphone
  • Apps affected by BlackRock include Instagram, Gmail, YouTube, and many more

A new malware, named BlackRock, has been found to be stealing user data as well as banking details that users provide the apps it targets. It has been found to infect apps such as Google Pay, Amazon, YONO Lite by SBI, Uber, Netflix, IDBI Bank Go Mobile+, iMobile by ICICI, Microsoft Outlook, HSBC, Oxigen Wallet, and MobiKwik, among others, to steal user information. The total apps that it affects so far go up to 337. Targeting Android phones, this malware has only been spotted on third-party app stores so far – so if you download apps only from Google Play Store, your smartphone should not be affected.

What is BlackRock malware?

BlackRock is a trojan and a variant of the Xerxes malware, which was developed using the LokiBot. However, compared to its predecessors, BlackRock has a much bigger target list. Moreover, unlike previous trojans, which targeted only banking apps, the new malware targets not just banking apps but also apps related to social media, messaging, dating, e-books, music and videos, news, etc. It was discovered in May this year by Dutch cybersecurity firm ThreatFabric.

Which apps are affected by BlackRock malware?

While BlackRock malware itself does not have a lot of new features that previous trojans haven’t had, what makes it special is the list of apps it targets. The list of apps that BlackRock targets is rather huge by trojan standards and includes, but is not limited to, the following apps:

  • YONO Lite by SBI
  • iMobile by ICICI
  • IDBI Bank Go Mobile+
  • HSBC
  • MobiKwik
  • Oxigen Wallet
  • Amazon Shopping
  • Gmail
  • WhatsApp Messenger
  • WhatsApp Business
  • Google Pay
  • Instagram
  • IGTV
  • Google Play Music
  • Facebook Messenger
  • Facebook
  • Facebook Lite
  • YouTube
  • Uber
  • Netflix
  • Tinder
  • Twitter
  • Twitter Lite
  • Snapchat
  • Telegram
  • Play Store
  • Reddit
  • Pinterest
  • Hangouts
  • Microsoft Outlook
  • Yahoo Mail
  • PayPal
  • eBay
  • Amazon Seller
  • Skype
  • Skype Lite

Along with the banking, shopping, messaging, and dating apps, there are a number of cryptocurrency wallets that are targeted for data theft by the malware.

What can BlackRock malware do?

BlackRock’s features are not too powerful and similar to what we have seen on earlier trojans. It can:

  • Perform overlays,
  • Spam your Messages inbox,
  • Read all your text messages,
  • Forward SMSes you receive to the hacker’s servers,
  • Send SMSes to others,
  • Read everything you type on the phone,
  • Lock your phone’s screen,
  • Collect your device information,
  • See all the notifications you get, and
  • Grant itself permissions on your phone

Along with this, the malware can hide itself from the app menu/ app drawer so you will never it was installed. Moreover, if you try to install an antivirus app, it will keep redirecting you to the home screen so that it is not discovered and, thus, cannot be deleted. Avast, AVG, BitDefender, Eset, Symantec, TrendMicro, Kaspersky, McAfee, and Avira antivirus apps will not be allowed to download on your phone. Even apps such as TotalCommander, SD Maid, and Superb Cleaner, which clean Android devices, will not be downloadable.

How does BlackRock work?

BlackRock malware 2

When BlackRock is first launched on your Android smartphone, it will hide its app icon. Then it will pose as a Google update and ask you to grant it Accessibility Services privileges. Once it has Accessibility privileges, it will give itself other permissions – including creating an admin profile for your phone for itself – so that it doesn’t need any more interaction or authorization from you.

Once the malware has all the permissions, it will be able to create an overlay on any of the apps that it targets for data collection. This means, for example, if you open the YONO Lite app by SBI, it will ‘put’ a fake screen on top of the app’s actual UI – when you enter your details on the fake screen, it can steal your username and password from this overlay.

The malware even targets social, messaging, lifestyle, and dating apps to steal credit card information. Of these 337 infected apps, as many as 111 apps are targeted for just credit card info theft, including WhatsApp, WhatsApp Business, Twitter, Twitter, Lite, Snapchat, Telegram, Skype, Skype Lite, Instagram, IGTV, Facebook, Facebook Messenger Lite, YouTube, Play Store, Reddit, Pinterest, Hangouts, and Tinder. However, as mentioned earlier, if you have not downloaded any apps from third-party app stores and only use the Google Play Store to download apps on your phone, your smartphone should not be infected.