BlankBot: A New Android Banking Trojan Threat
Threat intelligence experts have recently identified a new Android banking trojan that poses significant risks to users. Dubbed BlankBot, this malware is adept at capturing SMS text messages, banking credentials, and even device lock patterns or PINs. What sets BlankBot apart is its stealthy nature; it remains undetected by most antivirus software, making it a particularly insidious threat.
The malware was first detected by researchers at Intel 471 on July 24, primarily targeting users in Turkey. Although BlankBot is still believed to be in active development, its capabilities are already alarming. The trojan can perform a variety of malicious actions, including customer injections, keylogging, and screen recording, all while communicating with a control server via a WebSocket connection.
BlankBot Targets Users Of Android 13 And Newer
Currently, BlankBot is distributed through various utility applications aimed at Android users. Its ability to evade detection by most antivirus programs is concerningly familiar to those who have encountered other malware threats. To gain full control over an infected device, BlankBot exploits Android accessibility services.
Upon installation, users are prompted to grant necessary accessibility permissions under the guise of ensuring proper functionality. However, what remains hidden is the absence of an application icon or any visible interface. Instead, users are met with a blank screen that claims an app update is in progress, advising them not to interact with the device. In reality, the trojan is securing permissions in the background and establishing a connection to a malicious control server.
If the device runs on Android 13 or newer, BlankBot employs a session-based package installer that circumvents restricted settings, prompting users to allow installations from third-party sources. This tactic enables the malware to maintain persistence on the device, effectively locking users out of critical settings.
Mitigating BlankBot Infection
While BlankBot is still evolving, researchers emphasize that it can be thwarted by adhering to fundamental security practices. The most crucial advice is to download applications exclusively from official app stores and to avoid side-loading apps, regardless of their allure. Additionally, users should exercise caution when granting permissions, particularly accessibility permissions, which can grant an application extensive control over the device.
It’s essential to question the necessity of such permissions and consider whether alternative applications from reputable sources can provide similar functionality without the associated risks.
I have reached out to Google for a statement.