SecurityWeek reports that Turkey-based Android users have been subjected to attacks with the novel highly capable BlankBot trojan, which could not be identified by most antivirus tools.
Attackers have been deploying BlankBot in the guise of utility apps, which when installed seek accessibility permissions for proper execution before performing an update that enables the acquisition of permissions for total device takeovers, according to a report from Intel 471. Aside from facilitating the exfiltration of sensitive data, application lists, and SMS messages, BlankBot could also conduct bank detail and lock pattern theft, Intel 471 researchers reported. Further analysis of the Android trojan revealed its exploitation of WebSocket to activate other features, including overlay creation, app deletion or execution, screen recording, gestures, and data gathering. BlankBot "can perform malicious actions once it infects an Android device, which include conducting custom injection attacks, [on-device fraud], or stealing sensitive data such as credentials, contacts, notifications, and SMS messages," said researchers.
