LokiBot Redux Attacks Massive List of Common Android Apps

Researchers have discovered a new variant of the LokiBot trojan called BlackRock, that’s attacking not just financial and banking apps, but also a massive list of well-known and commonly used brand-name apps on Android devices.

Uber,  The apps targeted include:  Amazon, eBay, Facebook, Grinder, Instagram, Netflix, PlayStation, Reddit, Skype, Snapchat, TikTok, Tinder,  Tumblr, Twitter and VK, among many others, researchers said.

The malware, which ThreatFabric discovered in May, is derived from the source code of the Xerxes banking malware, which itself is a variant of LokiBot, researchers said in report posted online Thursday. The threat actor behind Xerxes made the source code to that malware public in 2019, a type of event that typically sets off a chain reaction of malware variants, researchers noted.

BlackRock is on one level a normal banking trojan, targeting banking and different crypto apps across various countries on at least five continents, including the United States, Japan, United Kingdom, Australia, France, Canada and Malaysia.

Among its features are those included in most credential-stealing malware, including the ability to perform overlay attacks; send, spam and steal SMS messages; lock the victim in the device home screen; and steal and hide notifications. It also can act as a keylogger, logging the text content from targeted apps that’s shown on the device screen, researchers said.

But while BlackRock’s banker abilities are not overly impressive, offering “a quite common set of capabilities compared to average Android banking trojans,” according to the report, it has other assets.

One of the things that’s unique is that non-financial group of apps it targets; BlackRock lifts data from a rather extensive list of very common chat, dating, gaming and social-media apps. This significantly widens the playing field for the victims it can target, researchers said.

Additionally, BlackRock can hide from antivirus programs, redirecting a victim to the home screen of the device if he or she tries to start or use specific antivirus software. Programs the malware can detect and deflect include: Avast, AVG, BitDefender, Eset, Symantec, TrendMicro, Kaspersky, McAfee and Avira, researchers said, as well as applications to clean Android devices, such as TotalCommander, SD Maid or Superb Cleaner.

“By doing so, the trojan tries to avoid letting the victim remove it from the device and establish some form of persistency,” researchers wrote.

LokiBot the Trickster

When BlackRock first launches on a device, it hides its icon from the app drawer so it’s invisible to the device user. And then, in most cases, it poses as a fake Google update to ask the victim for the Accessibility Service privileges.

Once this privilege is granted, BlackRock takes the liberty of giving itself additional permissions so it can fully function without having to interact any further with the victim. Upon full installation, the trojan can receive commands from the command-and-control (C2) server and perform its malicious activity, researchers said.

One other  unique functionality BlackRock has in comparison to other Android trojans is that it takes advantage of Android work profiles by creating and attributing itself a profile to gain admin privileges. Usually only mobile-device companies use these profiles to define a device policy controller (DPC), which allows them to control and apply policies on their mobile fleet without having complete admin rights, researchers noted.

LokiBot Rides Again

LokiBot is a prolific trojan that was first detected in late 2016 and became infamous for being simple and effective in its ability to covertly siphon information from compromised endpoints. As a solitary threat, the trojan has not been active for some time, ThreatFabric researchers said. However, it’s lived on through distribution in variants or various forms that can hitch a ride inside other file formats.

LokiBot even surfaced during the height of the coronavirus pandemic as part of a spearphishing campaign that loaded the trojan via malicious document attachments that used the trademark of the World Health Organization as a lure.

Researchers said they have seen attempts by threat actors to revive LokiBot over the past several years. However, it seems threat actors were not very successful at it until the Xerxes source code was released. That said, BlackRock’s capabilities are not as expansive as what exists in that code, according to ThreatFabric.