BlackRock Android Malware Steal Password and Card Data From 337 Apps

Researchers found an Android malware ‘BlackRock’ that dropped its icon when it initially launched itself on a mobile device. At the time, it pretended as a Google update in a trial to get access to a user’s Accessibility Service. 

This trojan will steal both login credentials, the username as well as password, as both are available, but also assist the victim in providing all payment card details if the apps support financial activities.

When they get access to these opportunities, the malware allowed itself additional grants that allowed it to interact with its command-and-control (C&C) server and to implement all the overlay attacks.

The BlackRock malware has added some additional features, particularly ones that support to steal passwords and credit card data. But, the BlackRock works like most Android trading trojans, though, besides it targets more apps than most of its forerunners. 

BlackRock Malware

BlackRock malware manages data by exploiting Android’s Accessibility Service events while launching for the first time requesting the users’ permissions under cover of fake Google updates.

It is available in the Play Store and is infiltrating devices by offering as a fake Google Update on third-party stores. As all the Android malware groups usually have found ways to circumvent Google’s app review method in the past. 

The BlackRock malware from root works like older Android malware and always practice tried and tested methods to show the overlays and administrator data.

According to the Threatfabric report, BlackRock is competent in keylogging, conferring permissions, SMS harvesting and sending, screen locking, device data collection, notification group, AV detection, hide its app icon, and also limit its removal.

How Does it Work?

The malware is initially launched on the device, and it starts by covering its icon from the app drawer, making it undetectable to the end-user. In the second step, it urges the victim for the Accessibility Service privileges.


Once the user allows the demanded Accessibility Service privilege, BlackRock begins by giving itself some additional approvals. Those additional approvals are needed for the bot to function entirely without having to communicate with any victims further. Once they are done, the bot is practical and able to receive commands from the C2 server and perform the overlay attacks.


Apart from this, the BlackRock malware is currently serving in the US, Europe, Australia, and Canada via shopping, communication, and business apps. 

Commands involved

The commands that are involved in this vulnerability are as follow:-

  • Send_SMS   
  • Flood_SMS   
  • Download_SMS   
  • Spam_on_contacts   
  • Change_SMS_Manager   
  • Run_App        
  • StartKeyLogs   
  • StopKeyLogs   
  • StartPush   
  • StopPush   
  • Hide_Screen_Lock   
  • Unlock_Hide_Screen   
  • Admin   
  • Profile   
  • Start_clean_Push   
  • Stop_clean_Push

Features of this vulnerability

The features of BlackRock malware are present in a set, enabling it to work under the radar and actively collect all the required personal information; and here are they:-

  • Overlaying: Dynamic 
  • SMS harvesting: SMS listing
  • Keylogging
  • Self-protection: Preventing removal
  • SMS harvesting: SMS forwarding
  • Device info collection
  • SMS: Sending
  • Remote actions: Screen-locking
  • Self-protection: Hiding the App icon
  • AV detection
  • Notifications collection
  • Grant permissions

The attack of BlackRock malware is quite different from other malware due to its array of apps they target, which go behind the mobile banking apps that are regularly get targeted.

The security experts strongly recommended a few security measures to the users to protect themselves from these type of vulnerabilities, and here they are:- 

  • Make sure to download the apps only from legitimate and reliable sources like the Play Store.
  • Read the app reviews before downloading them.
  • Use different passwords for different services.
  • Keep eye on the app permissions.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.