Researchers have discovered a new Android malware dubbed BlackRock that can steal personal information including user credentials and credit card details from at least 337 apps.

Analysts at ThreatFabric had discovered this new malware around May 2020. The malware seems to be derived from a source code of another Android banking Trojan called Xerxes banking malware, which had been made public last year.

The malware works on the basis of ‘overlay attacks.’ In simpler terms, the app detects user activity with a legitimate app. It then displays a fake window to gain information before the legitimate app is opened.

“When the malware is first launched on the device, it will start by hiding its icon from the app drawer, making it invisible to the end-user. As second step it asks the victim for the Accessibility Service privileges,” explained the report.

“Once the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional permissions. Those additional permissions are required for the bot to fully function without having to interact any further with the victim. When done, the bot is functional and ready to receive commands from the C2 server and perform the overlay attacks,” it added.

BlackRock embeds features such as overlaying, SMS harvesting, device info collection, notification collection, etc to carry out the cyberattack.

“337 unique applications in BlackRock's target lists, many applications haven't been observed to be targeted by banking malware before. Those "new" targets are mostly not related to financial institutions and are overlayed in order to steal credit card details,” said the report.

The malware also targets social media and lifestyle apps. BlackRock target list for credential theft includes 226 applications including BHIM UPI, Microsoft Outlook, Netflix, Gmail, Yahoo Mail, Uber among others. The malware’s target list for credit card theft includes 111 applications that include Telegram, WhatsApp, Twitter, Facebook among others as per the report.

The complete list for targeted apps can be accessed through ThreatFabric ’s website.