A newly discovered Android banking trojan named BlankBot is posing a significant threat to Turkish users by targeting their financial information. Unveiled on July 24, 2024, BlankBot is a sophisticated piece of malware that leverages various malicious capabilities to compromise Android devices. The trojan is designed to perform keylogging, screen recording, and overlay injections, all while communicating with a remote control server through a WebSocket connection. Its primary objective is to steal sensitive data, including bank account credentials and payment information.
BlankBot takes advantage of Android’s accessibility services permissions to gain full control over infected devices. This allows it to bypass restrictions introduced in Android 13 that aim to block sideloaded applications from requesting dangerous permissions directly. Notably, BlankBot uses a session-based package installer to sidestep these security measures, requesting users to enable installation from third-party sources before proceeding with the malware’s installation.
The trojan’s functionality extends to intercepting SMS messages, uninstalling arbitrary applications, and gathering a wide range of personal data, such as contact lists and installed apps. Its ability to block users from accessing device settings or launching antivirus apps further complicates efforts to detect and remove the malware. As BlankBot continues to evolve, it has been observed in various code variants across different applications.
In response to the threat, Google has confirmed that no instances of BlankBot have been found on the Google Play Store. The company reassures users that Google Play Protect, which is enabled by default on Android devices with Google Play Services, provides protection against known versions of the malware. Additionally, Google is enhancing its security measures to combat other threats, such as SMS Blaster fraud, by alerting users to unencrypted cellular connections and suspicious activities involving cell-site simulators.
Reference: