Cyber security news for all

More

    New Unveiled Android Trojan “BlankBot” Preys on Turkish Users’ Financial Data

    Cybersecurity experts have unearthed a novel Android banking Trojan christened BlankBot, explicitly targeting Turkish users in a bid to expropriate their financial credentials.

    “BlankBot boasts an array of insidious capabilities, which encompass fraudulent user interfaces, keystroke logging, screen capture, and communication with a command server via a WebSocket channel,” Intel 471 elucidated in an analysis disseminated last week.

    First identified on July 24, 2024, BlankBot is reported to be in active development, exploiting Android’s accessibility services permissions to seize comprehensive control over compromised devices.

    The nomenclature of several nefarious APK files harboring BlankBot is cataloged below:

    • app-release.apk (com.abcdefg.w568b)
    • app-release.apk (com.abcdef.w568b)
    • app-release-signed (14).apk (com.whatsapp.chma14)
    • app.apk (com.whatsapp.chma14p)
    • app.apk (com.whatsapp.w568bp)
    • showcuu.apk (com.whatsapp.w568b)

    Analogous to the recently re-emergent Mandrake Android Trojan, BlankBot employs a session-based package installer to circumvent the constrained settings feature introduced in Android 13, which was designed to thwart sideloaded apps from directly soliciting perilous permissions.

    “The bot coaxes the victim into enabling the installation of applications from third-party sources, subsequently retrieving the Android Package Kit (APK) file embedded within the application’s asset directory without encryption and advancing with the installation procedure,” Intel 471 revealed.

    The malware is equipped with an extensive repertoire of functions, enabling it to conduct screen captures, log keystrokes, and inject fraudulent overlays based on specific directives received from a remote command server, all to pilfer banking credentials, payment information, and even the pattern used to unlock the device.

    BlankBot is also adept at intercepting SMS messages, eradicating arbitrary applications, and harvesting data such as contact lists and installed applications. Moreover, it leverages the accessibility services API to thwart users from accessing device settings or launching antivirus applications.

    “BlankBot represents a nascent Android banking Trojan still in the developmental phase, as evidenced by the myriad code variations observed across different applications,” the cybersecurity firm noted. “Nevertheless, the malware is fully capable of executing malicious operations once it infiltrates an Android device.”

    A Google spokesperson informed The Hacker News that the company has not identified any applications containing the malware on the Google Play Store.

    “Android users are inherently safeguarded against recognized versions of this malware by Google Play Protect, which is activated by default on Android devices equipped with Google Play Services,” the technology giant stated. “Google Play Protect alerts users and obstructs apps harboring this malware, even if those apps are sourced from outside the Play Store.”

    This disclosure coincides with Google’s outline of the various measures it is implementing to combat cybercriminals’ use of cell-site simulators like Stingrays to inject SMS messages directly into Android devices, a fraudulent technique known as SMS Blaster fraud.

    “This method of injecting messages completely circumvents the carrier network, thereby bypassing all sophisticated network-based anti-spam and anti-fraud filters,” Google remarked. “SMS Blasters expose a counterfeit LTE or 5G network that performs a single function: downgrading the user’s connection to a legacy 2G protocol.”

    The mitigation strategies include a user option to disable 2G at the modem level and deactivate null ciphers, the latter being a crucial configuration for a False Base Station to inject an SMS payload.

    Earlier in May, Google also announced that it is bolstering cellular security by notifying users if their cellular network connection is unencrypted and if cybercriminals are using cell-site simulators to eavesdrop on users or send them SMS-based fraudulent messages.

    Recent Articles

    Related Stories