Cybersecurity researchers have uncovered a new Android banking trojan called BlankBot that targets Turkish users to steal financial information.
“BlankBot features a range of malicious capabilities, including customer injections, keylogging, screen recording, and communication with a control server via a WebSocket connection,” said Intel 471 in an analysis published last week.
Discovered on July 24, 2024, BlankBot is reportedly under active development. The malware exploits Android’s accessibility services permissions to gain full control over infected devices.
Below are some of the malicious APK files containing BlankBot:
- app-release.apk (com.abcdefg.w568b)
- app-release.apk (com.abcdef.w568b)
- app-release-signed (14).apk (com.whatsapp.chma14)
- app.apk (com.whatsapp.chma14p)
- app.apk (com.whatsapp.w568bp)
- showcuu.apk (com.whatsapp.w568b)
Similar to the recently resurfaced Mandrake Android trojan, BlankBot uses a session-based package installer to bypass the restricted settings feature introduced in Android 13, which blocks sideloaded applications from directly requesting dangerous permissions.
“The bot asks the victim to allow installation of applications from third-party sources, retrieves the Android package kit (APK) file stored in the application assets directory with no encryption, and proceeds with the package installation process,” Intel 471 said.
The malware includes features for screen recording, keylogging, and injecting overlays based on commands from a remote server to steal bank account credentials, payment data, and device unlock patterns.
BlankBot can also intercept SMS messages, uninstall arbitrary applications, and collect data such as contact lists and installed apps. It uses the accessibility services API to prevent users from accessing device settings or launching antivirus apps.
“BlankBot is a new Android banking trojan still under development, as evidenced by multiple code variants observed in different applications,” the cybersecurity company said. “Regardless, the malware can perform malicious actions once it infects an Android device.”
The disclosure follows Google’s outline of steps to combat threat actors’ use of cell-site simulators like Stingrays to inject SMS messages directly into Android phones, a fraud technique known as SMS Blaster fraud.
“This method to inject messages entirely bypasses the carrier network, thus avoiding all sophisticated network-based anti-spam and anti-fraud filters,” Google said. “SMS Blasters expose a fake LTE or 5G network to downgrade the user’s connection to a legacy 2G protocol.”
Mitigation measures include a user option to disable 2G at the modem level and turn off null ciphers, which are essential for a False Base Station to inject an SMS payload.
In May, Google also announced increased cellular security measures, such as alerting users if their cellular network connection is unencrypted or if criminals are using cell-site simulators to snoop on users or send them SMS-based fraud messages.
