A new Android banking trojan named BlankBot has been discovered by threat intelligence experts, capable of stealing SMS text messages, banking information, and device lock patterns or PINs. What sets BlankBot apart is its invisibility to most antivirus software, making it difficult to detect and remove from infected devices. Initially targeting Turkish users, BlankBot is still under active development and has a range of malicious capabilities including customer injections, keylogging, and screen recording. The trojan communicates with a control server over a WebSocket connection, allowing attackers to remotely access and control infected devices.
BlankBot primarily targets users of Android 13 and newer devices and is distributed as various utility applications for Android users. The trojan remains undetected by most antivirus programs and relies on users enabling Android accessibility services to gain complete control over the infected device. Once installed, the app prompts users to grant the required permissions under the guise of an app update, while running in the background and connecting to a malicious control server. BlankBot checks for the operating system version being used and implements a session-based package installer to bypass restricted settings for newer Android versions. The trojan can prevent users from accessing settings and maintain persistence on infected devices.
To mitigate the risk of BlankBot infection, users are advised to only download apps from official app stores and avoid side-loading applications from unknown sources. It is important to pay attention to the permissions requested by an app, especially accessibility permissions that grant complete control over the device. By understanding why an app requires certain permissions and opting for alternatives from official sources, users can minimize the risk of falling victim to malware attacks. Google Play Protect automatically detects and blocks known versions of this malware, providing an additional layer of security for Android users. The protection is enabled by default on Android devices with Google Play Services, offering warnings and blocking malicious apps even from external sources.
In a statement provided by a Google spokesperson, it was confirmed that no apps containing BlankBot malware have been found on Google Play. Android users are protected against known versions of the malware by Google Play Protect, which actively scans apps for malicious content and warns users about potential threats. Despite the presence of BlankBot, Android users can rely on Google’s security measures to prevent infections and maintain the safety of their devices. It is essential for users to stay vigilant, exercise caution while downloading apps, and follow recommended security practices to protect themselves from evolving threats like BlankBot.