BlankBot Banking Trojan
Cybersecurity researchers have exposed a new Android banking Trojan named BlankBot, which targets Turkish users to steal financial information. BlankBot possesses various threatening capabilities, including customer injections, keylogging and screen recording. It communicates with a control server via a WebSocket connection.
First identified in July 2024, BlankBot is reportedly still in active development. The malware exploits Android's accessibility services permissions to gain complete control over infected devices.
Table of Contents
BlankBot Spread via Fake Applications
Some of the corrupted APK files containing BlankBot include variations named app-release.apk with package identifiers such as com.abcdefg.w568b and com.abcdef.w568b, as well as app-release-signed (14).apk labeled as com.whatsapp.chma14. Additionally, there are files named app.apk with identifiers like com.whatsapp.chma14p, com.whatsapp.w568bp and com.whatsapp.w568b.
Much like the recently resurfaced Mandrake Android Trojan, BlankBot employs a session-based package installer to circumvent the restricted settings feature introduced in Android 13, which prevents sideloaded applications from directly requesting unsafe permissions. BlankBot asks the victim to permit the installation of applications from third-party sources, retrieves the APK file stored in the application assets directory without encryption, and proceeds with the installation process.
The Threatening Capabilities of the BlankBot Banking Trojan
The malware offers a broad array of features, including screen recording, keylogging, and overlay injections triggered by specific commands from a remote server. Its primary aim is to capture bank account credentials, payment information, and even the device's unlock pattern.
In addition to these capabilities, BlankBot can intercept SMS messages, uninstall arbitrary applications and collect data such as contact lists and installed applications. It also exploits the accessibility services API to block the user from accessing device settings or launching anti-malware software.
Although BlankBot is a new Android banking Trojan still in development, as indicated by the various code variants seen in different applications, it is already capable of executing harmful actions once it infects an Android device.
Google Implements Additional Measures to Protect Android Users
Google has detailed the measures it is implementing to address the use of cell-site simulators, such as Stingrays, for injecting SMS messages directly into Android phones. This fraud technique, known as SMS Blaster fraud, bypasses carrier networks and their advanced anti-spam and anti-fraud filters by creating a fake LTE or 5G network that forces the user's connection to revert to a legacy 2G protocol.
To combat this issue, Google has introduced mitigation measures that include allowing users to disable 2G connections at the modem level and turn off null ciphers. Null ciphers are crucial for a False Base Station to inject SMS payloads.
