BlankBot: A newly identified Android banking Trojan equipped with advanced features such as screen recording, keylogging, and remote control capabilities.

Cybersecurity researchers have uncovered a new Android banking trojan called BlankBot which targets Turkish users in an attempt to steal financial data.

Summary:
Researchers at Intel 471 Malware Intelligence discovered BlankBot in July 2024. It is a new Android banking Trojan that most likely targets Turkish users. Malicious features of BlankBot involve injections, keylogging, screen recording, and WebSocket connection with a control server. Antivirus software misses the majority of samples, yet the existence of logs and different codes implies the malware is still under development. In a report released last week, Intel 471 said.

BlankBot incorporates many of the features found in other banking Trojans but takes them a step further. Some key distinctions include:

1. Advanced Screen Recording: Unlike its predecessors, BlankBot can capture real-time video of the device’s screen, potentially exposing sensitive information beyond just keystrokes.
2. Sophisticated Remote Control: BlankBot offers attackers unprecedented control over infected devices, allowing for more complex and targeted attacks.
3. Enhanced Anti-detection: BlankBot employs advanced techniques to evade detection by antivirus software and security researchers, making it more persistent and difficult to remove.
4. Comprehensive Cryptocurrency Theft: While some Trojans have limited capabilities in this area, BlankBot is designed to target a wide range of cryptocurrency wallets.

Below is a list of some of the malicious APK files that include BlankBot. –
app-release.apk (com.abcdefg.w568b)
app-release.apk (com.abcdef.w568b)
app-release-signed (14).apk (com.whatsapp.chma14)
app.apk (com.whatsapp.chma14p)
app.apk (com.whatsapp.w568bp)
showcuu.apk (com.whatsapp.w568b)

IOC:
BlankBot APK SHA-256:
7d5b6bcc9b93aedc540e76059ee27841a96acb9ea74a51545dfef18b0fcf5b57
6fc672288e68146930b86c7a3d490f551c8d7a7e8ba3229d64a6280118095bea
ad9044d9762453e2813be8ab96b9011efb2f42ab72a0cb26d7f98b9bd1d65965
b4b4b195e14e9fda5a6d890ddb57f93ef81d6d9a976078354450ee45d18c89e3
8d6ca64e4c3c19587405e19d53d0e2f4d52b77f927621d4178a3f7c2bf50c2ea
d163cc15a39fb36391bd67f6eaada6691f0c7bc75fc80282a4a258244163e12a
6681b0613fc6d5a3e1132f7499380eb9db52b03ab429f0c2109a641c9a2ea4d3
11751c6aa3e5c44c92765876bc9cd46da90f466b9924b9b1993fa1c91157681d
fc5099e5be818f8268327aaf190cd07b4b4ebb04e9d63eefa5a04ea504f93d62

BlankBot control servers:
79.133.41.52
185.255.92.185

Found this article interesting? Follow us on X(Twitter) and LinkedIn to read more exclusive content we post.