The data theft capabilities of the malware are surprisingly advanced. BlackRock was first reported by the security firm ThreatFabric. It functions similar to any other Android malware. The researchers have said that BlackRock is based on another malware strain called Xerxes. The new malware brings enhanced capabilities and features related to stealing passwords and credit card details. The report suggests that the malware steals login credentials such as username and passwords and prompts the users to enter credit card details.
Once the smartphone is infected by BlackRock, it monitors the targeted app. When the user enters login or credit card details, it actively starts sending the information back to a server. The malware works using the phone’s Accessibility feature and then uses an Android DPC (device policy controller). The accessibility permissions allow the malware to automatically gain other permissions.
When the malware is first launched on the device, it hides its icon from the app drawer. This helps in making the app invincible to the end-users. BlackRock grants itself an additional set of permissions required to fully function without having to interact with any further victims. The bot also receives commands from the command-and-control server and executes overlay attacks.
The malware is targeting apps across various categories such as Books & Reference, Business, Communication, Dating, Entertainment, Lifestyle, News & Magazine, Music & Audio, Tools, and Video Players & Editors. The researchers have noted that the app steals credentials such as usernames, passwords from 337 apps including Amazon, Netflix, Yahoo Mail, Gmail, Google Pay, Uber etc.