Entity Enrichment Graph by VirusTotal


A new android malware strain was uncovered in May, boasting the ability to steal data from 337 applications, including passwords and credit card information. Among these apps are some of the most highly-used applications on any android phone, such as Netflix, Gmail, Amazon, Uber, and more.


BlackRock is based on the leaked source code of Xerces malware, which is in itself based on a series of data stealing malware variants modeled after each other, winding back to LokiBot’s source code. The android stealer’s distribution is quite simple, it is downloaded on third-party sites disguised as a legitimate Google update package. After a victim has downloaded the package, they will be prompted to approve access to the device’s Android accessibility feature. From there, the malware can easily climb the “ladder of permissions” until it gains admin permissions, which allow it to do virtually any malicious act found in its arsenal. Using this gained access, BlackRock utilizes a well-known technique called “overlaying”, detecting when the victim starts an application, and overlaying the legitimate app with a screen asking them to enter their login or credit card data before accessing the wanted program.

Although its vast data-stealing capabilities are what earned BlackRock its time in the spotlight, the malware also boasts a range of classic mobile malware capabilities, including intercepting SMS messages and performing SMS floods, keylogging, sabotaging antivirus apps, and more.

In the original BlackRock report by ThreatFabric, the threat intelligence company that uncovered this new strain, the company posted hashes of malware samples their analysts researched.


BlackRock report by ThreatFabric


ThreatSTOP’s Security and Research team wanted to discover indicators of compromise for BlackRock – IPs and Domains – to enter in to the ThreatSTOP blocklists, ensuring quick, extensive protection from the malware. Our analysts’ search for these indicators came up null on various threat exchanges, as no related IPs or domains were posted for the malware on these popular platforms.


Entity Enrichment Graph by VirusTotal


With no IPs or domains currently known for the malware, TS analysts turned to the entity enrichment Graph by VirusTotal to search for IOCs (read more about analysis enrichment tools here). During their analysis, our team found that all five BlackRock hashes were communicating with two distinct domains – jt[.]nu and paint[.]net. In addition, three of the domains were communicating with another, similarly suspicious domain (xv[.]do, jmf[.]io, vuz[.]ph, ar[.]nu). All IOCs found in this analysis were swiftly updated in the ThreatSTOP system.


ThreatSTOP IOC Analysis Visual


Android malware is not a surprising phenomenon to say the least, with 2.5 million android devices in use today. Even when mobile antivirus solutions are being used, we see that many malware variants can quite simply gain admin privileges, allowing them to evade the AV apps and proceed with their malicious plans. The first line of defense from Android malware is to try to avoid it from the get go. Only download applications that look legitimate and have a fair number of reviews, and whose publishers are also well-known or well-reviewed. Do not download applications from third-party websites, especially if they are supposed to be paid and are being offered for free – there is a good chance of receiving some malware packaged in there. In addition, stay alert and don’t visit suspicious websites on your mobile browser, or press on suspicious links in emails. While caution is important, it usually cannot create a bulletproof shield from mobile malware.

To protect yourself and others in your network, we recommend implementing a network security solution, or an endpoint solution, that blocks malicious inbound and outbound traffic, so that all connected devices will be protected from the full cyber killchain – from infection to data extortion and communication with the C&C servers.


Due to the impact of novel Coronavirus (COVID-19), ThreatSTOP is offering 3 months of MyDNS free, or until the stay at home orders expire. Whichever is longer. With the COVID-19 crisis comes an unprecedented transition to a work from home workforce, and a massive increase in cyber attacks. Because people need to work from home, we want to provide the cyber security protection they should have at work, for free.


Unlike other solutions that send all your data or DNS queries to their Cloud, creating privacy issues and potentially exposing critical company data to hacking and theft through man-in-the-middle attacks, our MyDNS puts a DNS Firewall enabled DNS server onto your device, keeping your traffic under your control and preventing DNS hijacking by enforcing DNSSEC.

Easy and quick to set up, no hardware, no contracts or obligations, and we're here to help.

Learn More