Researchers detected a new Android banking trojan called BlankBot on July 24, 2024. It’s one of the latest threats, showing the ever-increasing prevalence of the use of screen overlay attacks. 

In this instance, the malware pursues Turkish users in efforts to steal financial information and seems to be “still under development, as evidenced by the multiple code variants observed in different applications,” according to an Intel 471 analyst advisory.

After tricking the victim into giving it permissions for the accessibility services, BlankBot abuses Android’s accessibility services to gain complete control over tainted devices—taking screen grabs, capturing keystrokes, and allowing criminals to use customized overlays, targeting arbitrary legal applications, in order to trick users into entering personal details.

“BlankBot features a range of malicious capabilities, which include customizable injections, keylogging, and screen recording, and it communicates with a control server over a WebSocket connection,” the advisory said. BlankBot developers use openly accessible libraries for imitating account pages and creating other overlays.

“The developers appear to be experienced Android application developers, and they also demonstrate an understanding of the ATO (account takeover) business,” the analysts explained. “These libraries allow the malware operators to imitate real financial applications more closely and create a seamless, authentic-looking phishing page, making it more likely that a user will follow all the steps and give up their sensitive information.”

BlankBot’s just one of the latest to employ the insidious screen overlay tactic, as just a couple months ago VMX Labs discussed the AzraelBot trojan that targeted users in Italy and Brazil. We’ve also previously highlighted the HOOK mobile malware that relies on complex overlay attacks to get its foot in the door. And there are, of course, many more such uses—including the Mandrake spyware that ended up appearing on Google Play

There’s little doubt that cybercriminals are increasingly seeing the value in taking the time to carefully implement overlays within their attacks.

More on BlankBot

Similar to the Mandrake Android trojan, BlankBot uses a session-based package installer to bypass the restrictions introduced in Android 13 to keep sideloaded applications from demanding unsafe permissions. “The bot asks the victim to allow installing applications from third-party sources, then it retrieves the Android package kit (APK) file stored inside the application assets directory with no encryption and proceeds with the package installation process,” the advisory continued.

BlankBot can then tape the screen by means of the MediaProjection API, saving the records as JPEG images and then sending them to a remote server. Using an uncommon method, BlankBot also formulates its own keyboard to effortlessly capture user keystroke input.

“BlankBot also uses two open source libraries, CompactCreditInput and Pattern Locker View, to create screens that mimic the data entry pages for various sensitive credentials, such as usernames, passwords, PIN combinations, and credit card information,” the analysts stated. 

The malware is also able to break into SMS messages to seize data such as contact lists and installed apps. It creates a tailored overlay to request the victim for information, including financial credentials.

“Threat actors are able to perform on-device fraud (ODF) by waking up and controlling the device remotely with different types of supported gestures, such as clicks or swipes,” the advisory detailed. “We’re fairly certain that this malware was not written for espionage because it has all of the features required for account takeover for financial gain, such as overlays for popular financial applications.”

Not rearing itself on Google Play

A Google spokesperson told The Hacker News that the company has not found any apps containing the malware on the Google Play Store.

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” the industry titan said. “Google Play Protect warns users and blocks apps that contain this malware, even when those apps come from sources outside of Play.”

Verimatrix, of course, agrees that applications should only be installed from trusted sources, but it should also be reiterated that trusted app stores can and often do contain malware. 

Independent from the source, malware from high-risk sideloading or legal app stores is not only present but on the rise. Abuse of the Android accessibility API is a very common and continuously renewed trend in the criminal malware industry.