Cybersecurity researchers have discovered a new Android banking Trojan called “BlankBot” that targets users in Turkey and aims to steal financial information.
“BlankBot has a variety of malicious capabilities, including user injection, keylogging and screen recording, and communicates with its control server over a WebSocket connection,” Intel 471 said in an analysis published last week.
Discovered on July 24, 2024, BlankBot is a piece of malware that exploits the permissions of Android’s Accessibility Service to gain complete control over an infected device, and is said to still be under active development.
Some of the malicious APK file names that contain BlankBot include:
- AppRelease.apk (com.abcdefg.w568b)
- AppRelease.apk (com.abcdef.w568b)
- App Release Signed (14).apk (com.whatsapp.chma14)
- App.apk (com.whatsapp.chma14p)
- app.apk (com.whatsapp.w568bp)
- showcuu.apk (com.whatsapp.w568b)
Similar to the recently resurfaced Android Trojan Mandrake, BlankBot implements a session-based package installer to circumvent the Restrictions Settings feature introduced in Android 13 and block sideloaded applications from directly requesting dangerous permissions.
“The bot asks the victim to allow the installation of an application from a third-party source, after which it retrieves the Android Package Kit (APK) file stored unencrypted within the application assets directory and proceeds with the package installation process,” Intel 471 said.
The malware has a variety of capabilities, including screen recording, keylogging and injecting an overlay based on specific commands received from a remote server, to collect bank account credentials, payment data and even patterns used to unlock the device.
BlankBot can also intercept SMS messages, uninstall any application, collect data like contact lists, installed apps, etc. Additionally, it leverages Accessibility Service APIs to prevent users from accessing device settings or launching antivirus apps.
“BlankBot is a new Android banking Trojan that is still under development, as evidenced by multiple code variants spotted across different applications,” the cybersecurity firm said. “Either way, once the malware infects an Android device, it is capable of carrying out malicious actions.”
The disclosure came as Google outlined various measures it is taking to combat threat actors who use base station simulators such as Stingrays to inject SMS messages directly into Android phones in a fraud technique known as the SMS Blaster scam.
“This method of message injection completely bypasses carrier networks, avoiding all advanced network-based anti-spam and anti-fraud filters,” Google said. “SMS Blaster performs a single function: to expose a fake LTE or 5G network and downgrade the user’s connection to legacy 2G protocols.”
Mitigations include user options to disable 2G at the modem level and turn off null encryption, the latter being a crucial configuration for fake base stations to inject SMS payloads.
Earlier this month, Google also announced it would tighten security on its phones by warning users if their cellular network connection isn’t encrypted or if criminals are using cell site simulators to eavesdrop on them or send them scam SMS-based messages.
