Home Android New Android Malware ‘BlankBot’ Takes Full Control of Your Phone

New Android Malware ‘BlankBot’ Takes Full Control of Your Phone

0
New Android Malware 'BlankBot' Takes Full Control of Your Phone

Researchers have identified BlankBot, a newly discovered Android banking trojan primarily targeting Turkish users, which exhibits advanced capabilities, including customer injection, keylogging, and screen recording, facilitating data theft and remote control. 

BlankBot communicates with a command-and-control server via WebSocket and evades detection by most antivirus software, posing a significant threat to Android users. 

A novel Android malware, dubbed BlankBot, will masquerade as utility applications in late June 2024. Evading detection by most antivirus software, BlankBot exhibits distinct characteristics, differentiating it from known malware families. 

Android package kit (APK) icons BlankBot malware used

BlankBot, an Android banking trojan, leverages accessibility services to comprehensively monitor infected devices, capturing SMS, sensitive data, and app usage by injecting malicious overlays to steal banking credentials and device unlock patterns. 

Initializing with a GET request to gather device information, BlankBot subsequently uses WebSocket communication for covert command-and-control operations. 

While primarily targeting Turkish users, its potential geographic scope remains open due to the absence of specific financial institutions targeting. The BlankBot malicious application successfully installs on the device without a visible launcher icon. 

Subsequently, it prompts the user to grant accessibility permissions, displaying a deceptive message to legitimize the request and suggesting potential malicious intent to gain unauthorized control over the device through accessibility services. 

BlankBot installation process

It establishes a WebSocket connection with a control server after initiating contact via an HTTP GET request and deceptively displays a fake update screen while stealthily acquiring the necessary permissions. 

For Android 13 and later, BlankBot employs a session-based package installer to circumvent restricted settings, tricking the user into enabling third-party app installations before silently installing an APK from its assets without encryption. 

 BlankBot payload installation phase via Android 13

BlankBot employs MediaProjection and MediaRecorder APIs to capture device screen content as MP4 videos and JPEG images, respectively, exfiltrating the latter as Base64-encoded data. 

Additionally, it leverages accessibility services to log user interactions and implements a custom InputMethodService to intercept and transmit keystrokes, enabling comprehensive device monitoring and data theft. 

A new Android banking trojan injects customizable overlays based on commands from its control server, which can mimic legitimate banking apps (like ING Bank in this example) to steal user data. 

customized overlays

The malware uses two open-source libraries: CompactCreditInput to capture payment card details and Pattern Locker View to steal lock screen patterns. Researchers mimicked control server commands to test these overlays, which logged and sent any user input back to the server. 

According to Intel 471, it is a sophisticated Android malware capable of extensive device control, data exfiltration, and evasion. Using WebSocket communication, it executes C2 commands for actions like screen recording, device gestures, overlay creation, and data theft. 

To bypass security measures, it employs HVNC for UI element extraction and accessibility services for persistent device control, while the obfuscation techniques hinder analysis and evasion tactics prevent security intervention, making BlankBot a potent threat. 

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here