A new Android banking trojan, identified as “BlankBot,” has emerged as a critical threat for mobile users, particularly targeting those in Turkey. Unveiled by Intel 471 Malware Intelligence researchers on July 24, 2024, BlankBot exhibits advanced capabilities including screen recording, keylogging, and remote control functions. Disguising itself as legitimate utility applications, it effectively circumvents security measures to seize control over the infected devices.
Upon installation, BlankBot stealthily removes its icon and requests accessibility permissions. It manipulates users into believing they are updating the application while it quietly secures these permissions in the background. For devices operating on Android 13 or newer, the malware uses a session-based package installer to bypass standard security features, pushing and installing malicious APKs directly from the application’s assets directory.
The malware initiates communication with its command-and-control (C2) server through a “GET” request, providing crucial device information like battery status and OS details. Following this, it maintains a persistent connection via WebSocket on port 8080.
BlankBot’s potent capabilities include the ability to capture screen activity and intercept sensitive user input through keylogging. Utilizing Android’s MediaProjection and MediaRecorder APIs, it records screen actions and exfiltrates images in Base64 encoding. By leveraging accessibility services, it can create custom overlays to capture bank credentials and personal information.
Designed to evade detection, BlankBot checks device legitimacy and prevents access to critical settings and antivirus apps. Its recent iterations display sophisticated obfuscation techniques, adding complexity for security researchers attempting to analyze this malware.
In light of these developments, cybersecurity experts emphasize the necessity for Android users to be vigilant when downloading applications and to consistently apply the latest security updates to their devices. As the potential for global campaigns looms, it is crucial for users to be proactive in safeguarding their personal data against this alarming trojan.