BlackRock Malware targeting email, social media and banking apps

BlackRock vulnerability is derived from the code of the Xerxes banking malware

New Android malware – BlackRock – is now targeting more apps than ever including email and social media apps as well as banking apps.

BlackRock is known to target apps like WhatsApp, Tinder, Twitter, Gmail, Skype, and Facebook among others. BlackRock is essentially derived from the code of the Xerxes banking malware, which itself is a strain of the LokiBot Android banking Trojan.

The source code of the Xerxes malware was made public by its author around May 2019, which means that it is accessible to any threat actor, according to cyber-crime and fraud prevention firm ThreatPost.

When the malware is first launched on the device, it appears as a fake notification pop-up and disappears from the app drawer. The malware then asks for accessibility permissions.

Once the accessibility is granted, the app grants itself the rest of the administrator permissions to function without any hindrance. The malware uses the smartphone’s accessibility feature and Android DPC (Device Policy Controller) for permissions. 

Once the BlackRock malware is successfully installed on a smartphone, it monitors the targetted app. As soon as the user enters his bank credentials, the information is sent to the server. The app can send and steal SMS, AV detection, keylogging, etc. 

BlackRock Target Apps

BlackRock malware is derived from banking malware but is not limited to only banking apps. It also targets other apps ranging from Lifestyle, Music, News, etc. and steals the passwords and other information on the apps. 

The researchers are of the view that BlackRock steals login credentials from 226 apps such as PayPal, Amazon, eBay, Gmail, Google Play, Uber, Yahoo Mail, Amazon, Netflix and more while the app steals bank details from 111 apps such as  Facebook Messenger, Google Hangouts, Instagram, PlayStation, Reddit, Skype, TikTok, Twitter, WhatsApp, YouTube and more. 

ThreatFabric state:

The Trojan will redirect the victim to the Home screen of the device if the victims try to start or use antivirus software as per a specific list including Avast, AVG, Bitdefender, ESET, Symantec, Trend Micro, Kaspersky, McAfee, Avira, and even applications to clean Android devices, such as TotalCommander, SD Maid or Superb Cleaner.

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.


By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.


You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.


Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies.Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services