BlackRock malware is an enhanced version of Xerxes (2019) malware, whose source code was leaked publicly on underground forums. Xerxes and BlackRock all belong to the family of LokiBot malware which first appeared in 2016-17.
How does it work?
When malware is first launched on the device:
- First it hides its icon from the app drawer.
- It asks the victim for the Accessibility Service Privilege. Once granted BlackRock starts by granting itself additional permissions. Those additional permissions are required for the bot to fully function without having to interact any further with the victim.
- The new malware is so powerful that it makes antivirus applications useless. “The Trojan will redirect the victim to the HOME screen of the device if the victims tries to start or use antivirus software as per a specific list including Avast, AVG, Bitdefender, ESET, Symantec, Trend Micro, Kaspersky, McAfee, Avira, and even applications to clean Android devices, such as TotalCommander, SD Maid or Superb Cleaner,” ThreatFabric explains in its blog.
- It can perform the infamous overlay attacks, send, spam and steal SMS messages, lock the victim in the launcher activity (HOME screen of the device), steal and hide notifications, deflect usage of Antivirus software on the device and act as a keylogger.
- BlackRock abuses a feature which is usually used by companies to define a device policy controller (DPC) in order to control and apply policies on their mobile fleet. It simply creates and attributes itself a profile which has the admin privileges.
How to protect your phone?
- Don’t download any unknown packages from the web or any third party app stores.
- Regularly check for suspicious app permissions.
- Beware of spam and phishing emails.
- Use an anti virus software if possible.
- Use of strong password and multi-factor authentication.
A full list of malware features, functionality and entire list of affected apps can be seen on official ThreatFabric blog. All pic credit ThreatFabric.