CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Malware & Threats·Mobile & Wireless

New BlankBot Android Trojan Can Steal User Data

The BlankBot Android trojan exfiltrates user data, executes C&C commands, and supports custom injections, keylogging, and screen recording. The post New BlankBot Android Trojan Can Steal User Data appeared first on SecurityWeek.

A new Android trojan provides attackers with a broad range of malicious capabilities, including command execution, Intel 471 reports.

Dubbed BlankBot, the trojan was initially observed on July 24, but Intel 471 has identified samples dated at the end of June, almost all of which remain undetected by most antivirus software.

The threat is posing as utility applications and appears to be targeting Turkish Android users now, but could soon be used in attacks against users in more countries.

Once the malicious application has been installed, the user is prompted to grant accessibility permissions on the premises that they are required for correct execution. Next, on the pretense of installing an update, the malware enables all the permissions it requires to gain control of the device.

On Android 13 or newer devices, a session-based package installer is used to bypass restrictions and the victim is prompted to enable installation from third-party sources.

Armed with the necessary permissions, the malware can log everything on the device, including sensitive information, SMS messages, and applications lists, and can perform custom injections to steal bank information and lock patterns.

BlankBot establishes communication with its command-and-control (C&C) server by sending device information in an HTTP GET request, but switches to the WebSocket protocol for subsequent communication.

The threat uses Android’s MediaProjection and MediaRecorder APIs to record the screen and abuses accessibility services to retrieve data from the device, but implements a custom virtual keyboard to intercept key presses and send them to the C&C.

Based on a specific command received from the C&C, the trojan creates a customized overlay to ask the victim for banking credentials and personal and other sensitive information.

Additionally, the threat uses the WebSocket connection to exfiltrate victim data and receive commands from the C&C, which allow the attackers to launch or stop various BlankBot functionality, such as screen recording, gestures, overlay creation, data collection, and application deletion or execution.

“BlankBot is a new Android banking trojan still under development, as evidenced by the multiple code variants observed in different applications. Regardless, the malware can perform malicious actions once it infects an Android device, which include conducting custom injection attacks, ODF or stealing sensitive data such as credentials, contacts, notifications, and SMS messages,” Intel 471 notes.

Related: BingoMod Android RAT Wipes Devices After Stealing Money

Related: Sensitive Information Stolen in LetMeSpy Stalkerware Hack

Related: Millions of Smartphones Distributed Worldwide With Preinstalled ‘Guerrilla’ Malware

Related: Google Introduces Private Compute Services for Android

Latest News

CYBERNEWSMEDIAPublisher