A new Android malware strain, based on the Xerxes banking Trojan, has been discovered by analysts at ThreatFabric, the mobile security firm. Dubbed BlackRock, this new threat emerged in May 2020 and works like most Android banking trojans, with the exception of targeting more apps than most of its predecessors. The trojan will steal both login credentials (username and passwords), where available, but also prompt the victim to enter payment card details if the apps support financial transactions. It comes equipped with a wide range of data theft capabilities, which allows it to target a huge 337 Android applications. ThreatFabric found that the malware’s data collection takes place via a technique called “overlays,” which consists of detecting when a user tries to interact with a legitimate app and showing a fake window on top that collects the victim’s login details and card data before allowing the user to enter the intended legitimate app.
The source code of the Xerxes malware was made public by its author around May 2019, and when the source code of the malware is made publicly accessible it is pretty common to see the threat landscape being supplemented with new malware variants or families based on said code.