Zimperium logo


BlackRock Malware

Copyright © 2020 Zimperium All Rights Reserved 
Privacy Policy


Register for the Briefing

Your email and personal information are confidential, and will not be sold or rented. For further information, read our Privacy Policy.

Join Zimperium for an exclusive advisory on the BlackRock malware threat. During this briefing, the Zimperium research and security teams will explain the malware, how it works, who is targeted, and actions you can take to detect and remediate this and other advanced threats to your mobile apps.

Wednesday, September 30, 2020
2:00 PM US Eastern / 11:00 AM Pacific
Duration: 30 Minutes

  1. Your mobile app user first installs a utility app containing connections to the BlackRock malware server. These apps are often handy currency conversion, stock information, or trading apps. (The BlackRock malware is not present on the device yet, to evade detection from Google Play.)

  2. Days later, the malicious utility app updates itself to deliver the BlackRock malware files to your user's device.

  3. Once installed, the malware then launches and hides from the user so as not to cause concern.

  4. The malware then cleverly achieves device access to the user's Accessibility Service by tricking your user into clicking on and agreeing to a fake Google update. This phony update allows the malware to gain more privileges on your user's device.

  5. BlackRock then automatically grants itself additional permissions after receiving the requested Accessibility Service privilege and communicates with its command and control server.

  6. BlackRock then abuses the Accessibility Service (provided by your user) to display a malicious overlay screen that exactly mimics your app's login screen. Your users cannot detect this fake overlay screen on top of your app running in the foreground. Your user will unknowingly provide her banking login credentials or credit card information directly to the attackers. The malware also contains functions to capture incoming SMS messages to record second-factor authentication information.

  7. Captured credit card numbers and account credentials can be used for fraud payments, transfers, or sold on the Black Market.

BlackRock malware specifically targets 337 mobile apps to steal credit card information and banking account credentials.

How BlackRock Steals Data