Turkish language speakers are being targeted by a malicious Android program. This program is targeting them with the sole purpose of gaining access to users’ sensitive data.
The malicious program leverages Web Injections to manipulate users into providing sensitive details in the form of screen grabs and keystrokes. Cyber experts have named the Trojan as BlankBot and believe that it is still in the developing phase. BlankBot manages to go undetected through anti-malware scanners as well.
Cybersecurity experts believe that the Trojan developers have enough experience in Android application development as well as in ATO or Account Take Over business. As per the experts, this group of Trojan developers mimic account pages by leveraging openly available libraries.
Basically, these libraries make it easy for the threat actors to copy legitimate applications with greater accuracy. The fake phishing page resembles the original ones so closely that users don’t get suspicious at all.
Experts don’t have any clarity yet as to why the group is targeting Turkish people. This is not the first time that Turkey is facing a cyberattack. Of late, China’s APT41 attacked Turkey’s automotive industry and technology infrastructure. India’s SideWinder, too, has been targeting Turkish individuals.
The Trojan comes equipped with multiple features. BlankBot asks for permission from the users and then leverages the accessibility features of Android in order to gain control of your smartphone. The moment BlankBot gets access to controls, it starts recording your phone’s screen by using the MediaProjection API.
The recording gets saved in the form of JPEG images, which are further sent to some remote server. The accessibility services also enable the malware to spoof your finger swipes. BlankBot allows threat actors to carry out on-device fraud (ODF) by manipulating different kinds of user gestures, such as swipes and clicks. BlankBot is also known for its ability to collect phone contacts, and SMS texts and create overlays.
Cybersecurity experts believe that this has not been developed for espionage. Rather it’s core purpose is to make easy and quick monetary gains. In case the threat actors try using BlankBot for espionage purposes, it can get detected easily in anti-malware setups.
As of now, experts have not been able to zero down upon any specific financial institutions that are the direct target of the malware. Also, the malware has the capacity to target non-Turkish users as well.
A spokesperson from Google said that Google Play Protect has not yet detected any such malware in their apps. They have advised users to download apps only from the Play Store to enhance the level of security.
Cyber experts have advised users to manage their Android permissions with caution. Users should be highly attentive while allowing any kind of permissions, as part of overall phishing protection. Also, accessibility permissions require complete attention as they can make your device remotely accessible to the threat actors.
Experts believe that apart from data theft, BlankBot is also able to intercept your text messages, uninstall mandatory applications, mimic lock patterns, and collect data from your already installed apps.