New Android Trojan BlankBot Steals Financial Data

Cybersecurity researchers have uncovered a new Android banking trojan called BlankBot, targeting Turkish users to steal their financial information.

According to the analysis published last week, BlankBot possesses several malicious capabilities, including customer injections, keylogging, screen recording, and communication with a control server via a WebSocket connection.

Discovered on July 24, 2024, BlankBot is currently under active development. It exploits Android’s accessibility services permissions to gain full control over infected devices. Some of the malicious APK files containing BlankBot include:

– app-release.apk (com.abcdefg.w568b)
– app-release.apk (com.abcdef.w568b)
– app-release-signed (14).apk (com.whatsapp.chma14)
– app.apk (com.whatsapp.chma14p)
– app.apk (com.whatsapp.w568bp)
– showcuu.apk (com.whatsapp.w568b)

Similar to the recently resurfaced Mandrake Android trojan, BlankBot uses a session-based package installer to bypass the restricted settings feature introduced in Android 13, which blocks sideloaded apps from directly requesting dangerous permissions. The bot prompts victims to allow installation from third-party sources, retrieves the Android package kit (APK) file stored inside the application assets directory without encryption, and proceeds with the installation process.

BlankBot’s features include screen recording, keylogging, and injecting overlays based on specific commands from a remote server to steal bank account credentials, payment data, and even the pattern used to unlock the device. It can also intercept SMS messages, uninstall arbitrary applications, gather data such as contact lists and installed apps, and use the accessibility services API to prevent users from accessing device settings or launching antivirus apps.

Researcher noted that BlankBot is still under development, evidenced by the multiple code variants observed in different applications. Despite this, the malware can perform malicious actions once it infects an Android device.

A Google spokesperson informed that no apps containing the malware have been found on the Google Play Store. They assured that Android users are automatically protected against known versions of this malware by Google Play Protect, which warns users and blocks apps containing the malware, even if they come from outside the Play Store.

This disclosure comes as Google outlines steps to combat threat actors using cell-site simulators like Stingrays to inject SMS messages directly into Android phones, a technique known as SMS Blaster fraud. This method bypasses the carrier network and sophisticated anti-spam and anti-fraud filters. Google has introduced mitigation measures, including a user option to disable 2G at the modem level and turn off null ciphers, essential for a False Base Station to inject an SMS payload.

To protect against BlankBot and similar Android trojans, users should avoid installing apps from third-party sources and only download applications from trusted platforms like the Google Play Store. Ensure that Google Play Protect is enabled to automatically scan for and block malicious apps.

Additionally, regularly review app permissions and disable unnecessary access, particularly for accessibility services, to prevent malware from gaining control over your device.