High
Researchers reports on a banking Trojan that appears to be a derivative of Xerxes and LokiBot that they have dubbed “BlackRock”. The source code for Xerxes has been publicly available since around May of 2019. One change to the source code used to create BlackRock includes the list of targets. The additions include social media, networking, communication, and dating apps. After installation onto an Android device, BlackRock first hides its icon from the app drawer so that it is not visible to the user. It then asks for additional privileges, namely access to the Accessibility Service. The Accessibility Service is a known pathway to gaining additional privileges in the Android world. Once this privilege is granted by the user, BlackRock then provides additional privileges to itself so that further user interaction is no longer required. After this is accomplished, it waits for instructions from its command and control server. Should the user attempt to use any of a number of Android anti-virus software applications, it will lock the user to the home screen of the device. Some functions available to BlackRock include overlay attacks, steal SMS messages, hide notifications, and act as a keylogger.