New Android Malware can steal your Social and other account

Around May 2020 ThreatFabric analysts have uncovered a new strain of banking malware dubbed BlackRock that looked pretty familiar. After investigation, it became clear that this newcomer is derived from the code of the Xerxes banking malware, which itself is a strain of the LokiBot Android banking Trojan. The source code of the Xerxes malware was made public by its author around May 2019, which means that it is accessible to any threat actor.

When source code of malware is leaked or made publicly accessible it is pretty common to see the threat landscape being supplemented with new malware variants or families based on the said code. We have observed similar events in the past, as for example the infamous Bankbot Trojan code made available by its author, leading to new Trojans like CometBot, Razdel and Anubis. When Anubis itself was leaked the actor(s) behind the Ginp Trojan reused small portions of its code.

However, when Xerxes' source code was leaked, no new malware based on, or using portions of, such code was observed. BlackRock seems to be the only Android banking Trojan based on the source code of the Trojan at the moment.

Although LokiBot has been considered dead and inactive for a while, we have observed attempts from some actors to get the Trojan working several times in the last years. Looking at the number of samples built for each of those campaigns and the duration of those, the actors didn't seem to have been very successful. Therefore, we believe that those campaigns were probably driven by new actors trying out the publicly available source code. BlackRock campaigns - on the other hand - are not alike, not only did the Trojan undergo changes in its code, but also comes with an increased target list (containing many non-financial apps) and have been ongoing for a longer period.

Technical aspects aside, one of the interesting differentiators of BlackRock is its target list; it contains an important number of social, networking, communication and dating applications. So far, many of those applications haven't been observed in target lists for other existing banking Trojans. It therefore seems that the actors behind BlackRock are trying to abuse the grow in online socializing that increased rapidly in the last months due to the pandemic situation.
The LokiBot malware family

As BlackRock is based on the Xerxes banking Trojan, it is part of the LokiBot descendance which has several variants, as shown hereafter.

LokiBot itself was first observed between end 2016 and beginning 2017 as rented malware. Sometime after the author of the Trojan got banned from underground forums, the source code of the Trojan was leaked. During first half of 2018 MysteryBot was observed to be active. Although it was based on LokiBot it contained upgrades in order to work properly on newer Android versions and used new techniques to steal personal information. In the second half of 2018, Parasite appeared on the threat landscape as direct successor of MysteryBot. It was enhanced with accessibility features and some automated scripts (such as PayPal automated transfer scripts). In May 2019 the Xerxes Trojan first appeared, it was based on Parasite and after some unsuccessful attempts in offering the Trojan in underground forums, the actor made it publicly available. After being used by several actors, it faded away from the threat landscape. In May 2020 BlackRock was first spotted.

Read Full report