A new strain of Android banking malware capable of stealing information from an estimated 337 apps, including Amazon, Facebook, Gmail, and Tinder, has been discovered by security researchers

Named BlackRock, the malware was identified in May by cybersecurity firm ThreatFabric and has been linked to another strain of malware

Upon investigating BlackRock, researchers said it "looked pretty familiar" and found that it used source code from the Xerxes malware, which itself was derived from a malware called LokiBot, as reported by ZDNet

ThreatFabric states that this source code was "released by the author around May 2019" and is "accessible to any threat actor" The company also believes that BlackRock is the only banking Trojan currently using this source code

What is interesting about BlackRock is that despite adopting Xerxes' source code, hackers have tweaked the code, have more targets, and have been active longer

They have also extended the scope of their attacks to general-purpose apps, not just online banking apps

BlackRock has targeted Amazon, Cash App, eBay, Gmail, Google Play, Hotmail, Instagram, Microsoft Outlook, myAT&T, Netflix, PayPal, Uber, and Yahoo Mail, including 226 apps, as well as stealing credentials such as usernames and passwords, as well as banking and cryptocurrency apps

Facebook, Facebook Messenger, Google Hangouts, Grindr, Instagram, Kik, Periscope, Pinterest, PlayStation, Reddit, Skype, Snapchat, Telegram, TikTok, Tinder, Tumblr, Twitter, Viber, Russian social network VK, WhatsApp, WeChat, YouTube, and 111 more apps to steal credit card numbers

Like many malware, BlackRock disguises itself as a seemingly legitimate app, asking users for various permissions and stealing data from their devices

"When this malware first launches on a device, it first hides its icon from the app drawer, making it invisible to the end user As a second step, the malware requests accessibility service permissions from the victim," the researchers wrote in a blog post [Once the user grants the requested accessibility service permissions, BlackRock begins by granting additional permissions to itself These additional permissions are necessary for the bot to function fully without further interaction with the victim Once this is done, the bot is functional and ready to receive commands from the C2 (command-and-control) server to perform overlay attacks

After various permissions are granted, hackers can use the malware to execute commands such as sending and downloading text messages, running apps, accessing notifications, and unlocking infected phones

The Trojan also renders antivirus applications unusable

According to ThreatFabric, this Trojan renders antivirus applications unusable: "The Trojan horse has been used by victims Avast, AVG, Bitdefender, ESET, Symantec, Trend Micro, Kaspersky, McAfee, Avira, and even TotalCommander, SD Maid, Superb Cleaner, and other applications that clean Android devices redirected to the device's home screen

Other capabilities include:

Perhaps more alarming is that BlackRock collects account information such as usernames and passwords It then uses a method known as an "overlay" to encourage users to disclose their credit card information

These overlays were used in a variety of apps, including business, messaging, dating, entertainment, financial, lifestyle, news, and social media

The Trojan is not believed to be active on the Google Play store Instead, it lurks in spoofed Google update packages via third-party websites

To protect yourself, you should only download apps from trusted sources (such as the Play Store), read app reviews, use unique passwords, and check app permissions