Cybersecurity researchers have discovered a new Android banking Trojan called BlankBot targeting Turkish users with the aim of stealing financial information.
“BlankBot has a range of malicious capabilities, which include client injections, keylogging, screen recording, and it communicates with a control server via a WebSocket connection,” Intel 471 said in an analysis published last week.
Discovered on July 24, 2024, BlankBot is believed to be under active development, with the malware abusing Android Accessibility Services permissions to gain complete control over infected devices.
The names of some of the malicious APK files containing BlankBot are listed below –
- app version.apk (com.abcdefg.w568b)
- app version.apk (com.abcdef.w568b)
- signed application version (14).apk (com.whatsapp.chma14)
- application.apk (com.whatsapp.chma14p)
- application.apk (com.whatsapp.w568bp)
- showcuu.apk (com.whatsapp.w568b)
Like the recently resurfaced Mandrake Android trojan, BlankBot implements a session-based package installer to bypass the Restricted Settings feature introduced in Android 13 to prevent sideloaded apps from directly requesting dangerous permissions.
“The bot asks the victim to allow the installation of applications from third-party sources, then it retrieves the Android Package Kit (APK) file stored in the application’s assets directory without encryption and proceeds with the package installation process,” Intel 471 said.
The malware comes with a wide range of capabilities to perform screen recording, keylogging and inject overlays based on specific commands received from a remote server to harvest bank account credentials, payment data and even the pattern used to unlock the device.
BlankBot is also capable of intercepting SMS messages, uninstalling arbitrary applications, and collecting data such as contact lists and installed applications. It further uses the Accessibility Services API to prevent the user from accessing device settings or launching antivirus applications.
“BlankBot is a new Android banking Trojan that is still under development, as evidenced by the multiple code variants observed in different applications,” the cybersecurity firm said. “Regardless, the malware can perform malicious actions once it infects an Android device.”
A Google spokesperson told The Hacker News that the company had not found any apps containing the malware on the Google Play Store.
“Android users are automatically protected from known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services,” the tech giant said. “Google Play Protect warns users and blocks apps that contain this malware, even when those apps come from sources outside of Play.”
The revelation comes as Google outlined the various measures it is taking to combat malicious actors’ use of cell site simulators like Stingrays to inject SMS messages directly into Android phones, a fraud technique called SMS Blaster fraud.
“This method of message injection bypasses the carrier’s network entirely, bypassing all sophisticated network-based spam and fraud filters,” Google said. “SMS Blasters expose a fake LTE or 5G network that performs a single function: downgrading the user’s connection to a legacy 2G protocol.”
Mitigations include a user option to disable 2G at the modem level and disable null ciphers, the latter being an essential configuration for a fake base station to inject an SMS payload.
In early May, Google also said it was strengthening cellular security by alerting users if their cellular network connection is not encrypted and if criminals are using cell site spoofing to spy on users or send them fraudulent text messages.
(The story was updated after publication to include a response from Google.)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25456760/lcimg_9114620e_8a08_4ad2_a176_4f75047ffcb8.jpeg?w=390&resize=390,220&ssl=1 "Recall is Microsoft’s key to unlocking the future of PCs")
