Users Of Android 13 Or Newer Warned As Treacherous New Threat Emerges

https://imageio.forbes.com/specials-images/imageserve/66af8de242db4d329ef07c77/0x0.jpg?format=jpg&height=600&width=1200&fit=bounds

Threat intelligence experts have discovered a new Android banking trojan capable of capturing SMS text messages, banking information and even your device lock pattern or PIN. The treacherous threat, known to security researchers as BlankBot, has one more trick up its sleeve: it’s invisible to most antivirus software.

The malware researchers at threat intelligence outfit Intel 471 first spotted the new Android banking trojan on July 24, when it was seen primarily targeting Turkish users. Although BlankBot is thought to still be under active development, this could change over time. The researchers said that the trojan has a range of malicious capabilities including “customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection.”

BlankBot Targets Users Of Android 13 And Newer

BlankBot appears to currently be distributed as various utility applications for Android users and, as already noted, doesn’t appear to be detected by a majority of antivirus programs. So far, so familiar. The familiarity with other malware packages doesn’t need there either. BlankBot relies upon users enabling Android accessibility services to gain complete control over the infected device.

Once the app has been installed the user will be prompted to grant the required accessibility permissions with a message explaining these are needed to run properly displayed. What isn’t displayed, however, is an application icon or, indeed, much else at all. Grant that permission, and you’ll see a blank screen stating that an app update is underway and advising the user not to touch anything. The reason is that it is obtaining the permissions in the background and connecting to a malicious control server. During this process, the app will check for the operating system version being used. If it detects Android 13 or newer, then a session-based package installer that can bypass the restricted settings feature brought into play with that version is implemented. This requests that the user allow third-party source installation for the update to continue. BlankBot can maintain persistence on the infected device by preventing the user from doing a number of things, with accessing settings being one of them.

Mitigating BlankBot Infection

As previously mentioned, the researchers say that BlankBot is new and still under active development, with multiple code variants seen to date. However, that doesn’t mean it cannot be stopped in its tracks by following some basic security advice. Perhaps the most important is to only use official app stores for downloads to your Android device and avoid side-loading anything, no matter how tempting that app might appear. Secondly, beware of the permissions that you grant, especially accessibility permissions, which enable an application to pretty much take complete control of your device. Ask yourself why something might be requesting these permissions and whether alternative apps from official sources bring the same utility buy without such risky requirements.

A Google spokesperson sent me the following statement: “Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect warns users and blocks apps that contain this malware, even when those apps come from sources outside of Play.”

<<<- Go Back