New Android Threat BlankBot Targets Users of Android 13 and Newer
A newly discovered Android banking trojan, named BlankBot, poses a significant threat to users of Android 13 or newer, security researchers have warned. The malware is capable of capturing sensitive information such as SMS messages, banking details, and even the device lock pattern or PIN. Even more concerning, BlankBot is largely undetectable by most antivirus software.
Discovery and Capabilities
Researchers from threat intelligence firm Intel 471 first identified BlankBot on July 24, with initial attacks primarily targeting Turkish users. While BlankBot is still under active development, it already boasts a range of malicious functionalities. These include customer injections, keylogging, screen recording, and communication with a control server via a WebSocket connection.
Distribution and Stealth Tactics
BlankBot is currently being distributed disguised as various utility applications for Android devices. Upon installation, the malware prompts users to grant accessibility permissions under the guise of needing them to function correctly. However, once these permissions are granted, the app icon disappears, and a blank screen stating an update is underway appears, advising users not to touch anything. This ruse allows the malware to obtain the necessary permissions in the background and connect to its malicious control server.
The trojan is particularly dangerous for devices running Android 13 or newer. It uses a session-based package installer to bypass the restricted settings feature introduced in these versions, requesting users to allow third-party source installation to continue the fake update. BlankBot also ensures its persistence by preventing users from accessing settings or removing the malware.
Mitigation Strategies
Despite BlankBot being new and actively developed, there are measures users can take to protect themselves. The most crucial step is to only download apps from official app stores like Google Play and avoid side-loading apps from unknown sources. Users should also be cautious about the permissions they grant, especially accessibility permissions, which can give an app complete control over the device. It’s essential to question why an app might need such permissions and consider alternatives from reputable sources that do not require risky permissions.
Google’s Response
In response to the BlankBot threat, a Google spokesperson stated: “Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect warns users and blocks apps that contain this malware, even when those apps come from sources outside of Play.”
By following these security measures and staying vigilant, Android users can significantly reduce the risk of falling victim to BlankBot and similar threats.
