The Android BlankBot Banking Trojan May Collect Your Personal Data

Cybersecurity researchers have uncovered a new threat in the form of an Android banking trojan named BlankBot. This malicious software is targeting Turkish users, aiming to steal financial information through a variety of sophisticated methods.

BlankBot Capabilities

BlankBot is armed with a suite of harmful functionalities. According to Intel 471's analysis published last week, these include:

• Customer Injections: Deceptive overlays that trick users into entering sensitive information.
• Keylogging: Capturing everything typed on the device.
• Screen Recording: Monitoring and recording user activities.
• Control Server Communication: Using a WebSocket connection to communicate with a remote control server.

Discovered on July 24, 2024, BlankBot is still in active development. The malware leverages Android's accessibility services permissions to gain full control over infected devices. Some of the APK files identified to contain BlankBot include:

• app-release.apk (com.abcdefg.w568b)
• app-release.apk (com.abcdef.w568b)
• app-release-signed (14).apk (com.whatsapp.chma14)
• app.apk (com.whatsapp.chma14p)
• app.apk (com.whatsapp.w568bp)
• showcuu.apk (com.whatsapp.w568b)

How BlankBot Operates

Similar to the Mandrake Android trojan, BlankBot uses a session-based package installer to bypass Android 13's security measures that prevent sideloaded apps from requesting dangerous permissions directly. The malware prompts victims to allow installations from third-party sources, retrieves the APK file stored in the app's assets directory, and proceeds with the installation without encryption.

Once installed, BlankBot performs various malicious actions, including:

• Screen Recording and Keylogging: To capture sensitive information.
• Injecting Overlays: Based on specific commands from a remote server to steal banking credentials and payment data.
• Intercepting SMS Messages: To capture authentication codes and other critical information.
• Uninstalling Applications: Removing security apps and other software.
• Gathering Data: Harvesting contact lists, installed apps, and other personal data.
• Preventing Access: Using the accessibility services API to block access to device settings and antivirus apps.

Google’s Response and Protection Measures

Google has stated that no apps containing BlankBot have been found on the Google Play Store. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on devices with Google Play Services. This protection warns users and blocks apps containing the malware, even from sources outside of Play.

In response to broader threats, including those posed by SMS Blaster fraud techniques that bypass carrier network protections, Google has introduced several mitigation measures. These include the option to disable 2G at the modem level and turn off null ciphers, which are essential for the operation of False Base Stations used in such attacks. Additionally, Google has stepped up cellular security by alerting users to unencrypted network connections and the use of cell-site simulators for snooping or SMS fraud.

The discovery of BlankBot highlights the ongoing evolution of Android malware and the need for vigilant security practices. As this trojan continues to develop, it's crucial for users to stay informed and take advantage of built-in security features like Google Play Protect. By remaining cautious and aware, users can help protect their devices and personal information from emerging threats.