Skip to content

New Android Malware BlackRock Infects Your Mobile Banking Apps and Wreaks Havoc

More employees are working remotely than ever, and hackers are eager to take advantage of this. We’ve recently seen an increase in various types of attacks and malware, and no person or device is immune to these threats. Windows, mac OS, and Android have been among the targets. One particular type of banking malware, BlackRock, has been targeting Android devices since late this spring.

What is the Blackrock malware?

A trojan horse that wants your info

Like many of the trojans that target mobile users, BlackRock tags along with apps on third-party sites. This particular trojan comes bundled with a fake Google update. While BlackRock hasn’t yet been identified with apps in Google Play’s app store, it wouldn’t be surprising if it becomes bundled with apps that are available through official channels soon despite Google’s attempts to authentic apps before allowing them in the app store.

What does this malware do once it is on a device?

Goes after your financial information

BlackRock is a banking trojan, which goes after the victim’s financial information. First, it asks for permission under the guise of a Google updated for the Accessibility feature, which it employs to gain access to the device policy controller or DPC. BlackRock also uses work profiles as a workaround to get some permissions. From there, BlackRock can intercept text messages, spam contacts with messages, and fill SMS channels with useless messages.

Launches Apps, Logs Your Key Presses, and More

The malware can also launch specific apps, log keypress similar to a keylogger on a computer, and send custom push notifications. When the user tries to launch popular antivirus apps such as Avast, AVG, Symantec, Trend Micro, Kaspersky, McAfee, or Avira, BlackRock sends them back to their phone’s home screen, instead. The bank trojan also prevents some Android cleaning apps from running.

A Broad and Persistent Infection

Effects more than just finance apps

This malware differs from most banking trojans, which focus only on financial apps. It targets a variety of apps, including books, entertainment, music, video players and editors, news and magazines, finance, social networking, communication, and dating apps; although, the trojan targets more financial apps than those apps in other categories. Thus far, 337 apps have been identified, and the banking trojan can steal passwords from those apps.

Steals Credit Card Data

Credit card data is also at risk if a device becomes infected by this trojan. In apps that support financial transactions, BlackRock asks users to enter their payment credentials to steal. Although the base app may be authentic, BlackRock makes use of a fraudulent “overlay” on top of the app to accomplish this. This isn’t a unique method, however. Plenty of Android malware uses the same tactic.

It’s Crafty

If victims are unaware that BlackRock infects their device, they may unwittingly give away financial and identifying information. The push notification presents a particularly frustrating function of this banking trojan because these messages can trick victims into performing other actions that further help the malware gain data and access to the device.

However, BlackRock’s ability to prevent antivirus and cleaning apps from working as intended makes it challenging to remove the malware even if a victim is aware of the infection on their device.

BlackRock Builds On A History Of Malware


Security researchers thought that BlackRock seemed similar after its discovery in May 2020 by those from the mobile security firm ThreatFabric. That’s because it’s a variant of Xerxes, malware is responsible for DDoS attacks on several years ago.  Some of our readers might recall that Xerxes itself was a variant of LokiBot, a trojan that targets Android.


BlackRock is the first malware based on Xerxes source code, despite the trojans source code being released to the public in 2019. LokiBot itself hasn’t been active for some time, and experts don’t believe the agents behind BlackRock are the same as those that set LokiBot loose. Whether other variants of LokiBot pop up in the near future or not, there’s no doubt that hackers will continue to create other Android malware. Hackers have created their own variants based on leaked source code in the past. For example, the leaked code for the Bankbot trojan resulted in new bank trojans, including CometBot, Razdel, and Anubis.

While the source code of Xerxes offers other “features,” the hackers who created and released BlackRock have disabled some of those features to focus on stealing the victim’s financial and other data.

Exercising Caution

BlackRock highlights the necessity for caution when downloading software to our devices, especially when downloading updates from Google. Third-party app stores present more risk Google’s Play Store, but Google has proved less effective at monitoring apps in its store than Apple has.

Contact us today for information about our security solutions.

wheel house it logo

Let's Start a Conversation

Fill out the form below and a member of our team will contact you within 10 minutes. (Mon-Fri 8am-6pm EST)

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Let's Start a Conversation

Rory from wheel house IT

Call (954) 474-2204, option 2 to speak with a representative.

Send us an email at

Or contact us by form below:

"*" indicates required fields

This field is for validation purposes and should be left unchanged.