A new Android malware strain, based on the Xerxes banking Trojan, has been discovered by analysts at ThreatFabric, the mobile security firm. Dubbed BlackRock, this new threat emerged in May 2020 and works like most Android banking trojans, with the exception of targeting more apps than most of its predecessors. The trojan will steal both login credentials (username and passwords), where available, but also prompt the victim to enter payment card details if the apps support financial transactions. It comes equipped with a wide range of data theft capabilities, which allows it to target a huge 337 Android applications. ThreatFabric found that the malware’s data collection takes place via a technique called “overlays,” which consists of detecting when a user tries to interact with a legitimate app and showing a fake window on top that collects the victim’s login details and card data before allowing the user to enter the intended legitimate app.
The source code of the Xerxes malware was made public by its author around May 2019, and when the source code of the malware is made publicly accessible it is pretty common to see the threat landscape being supplemented with new malware variants or families based on said code.
Unfortunately, this malware is particularly sophisticated and can camouflage itself as a genuine app to do some damaging spy work in the background. It is vital that users know what apps they are downloading, or they may risk unknowingly downloading something illicit. The best way to avoid this is by checking reviews and only using trusted app stores.
Once this malware is installed on your device, it can copy every single keystroke – instantly stealing passwords or security answers without your knowledge. One way to protect yourself from keyloggers is to use a password manager. This way, you will only need to copy and paste passwords and other sensitive information from the manager, and the keylogger will only be able to log that you used the clipboard copy and paste function, rather than capturing your private credentials.