BlankBot: A New Android Banking Trojan Cannot Evade on Device Machine Learning Protection

August 2024 by Zimperium

BlankBot is a newly discovered Android banking trojan identified by Intel 471 Malware Intelligence researchers in July 2024. This sophisticated malware targets Android devices, primarily focused on Turkish users but capable of broader geographical attacks. BlankBot aims to produce profit for attackers by exfiltrating banking credentials. The trojan disguises itself as legitimate applications, deceiving users into granting extensive permissions that allow it to manipulate device functions for financial gain.

Capabilities of BlankBot

BlankBot is equipped with several malicious features such as:

Screen Recording: It leverages Android’s MediaProjection and MediaRecorder APIs to capture video and images of the infected device’s screen. These recordings are used to steal sensitive information displayed on the device.

Keylogging: Using accessibility services, BlankBot can log keystrokes, capturing everything the user types, including passwords and other confidential information.

Remote Control: The malware can receive commands from a command-and-control (C2) server to perform actions on the device remotely, such as waking up the device, launching and uninstalling applications.

Custom Injections: BlankBot can create customizable overlays to steal banking credentials, payment card data, and personal information through fake input fields that mimic legitimate applications.

Defeating BlankBot with Zimperium

Zimperium’s Mobile Threat Defense (MTD) and Mobile Application Protection Suite (MAPS) protect devices and users against BlankBot. The original research identified 9 samples as part of this campaign. The detection engine powering Zimperium MTD and MAPS detects all of them in a zero day fashion with very high confidence.

Zimperium’s advanced detection capabilities ensure that even newly discovered malware is promptly identified and mitigated. To achieve this, constant retraining of our machine learning based classifiers is done. This not only guarantees that we keep up to date with the latest trends but this research also lets us perform historical analysis on detections. By checking different classifiers versions, we are able to retrospectively review prior coverage against previous classifier versions to determine historical efficacy.

In the case of this BlankBot campaign, classifiers deployed to the field more than a year ago detected BlankBot samples in a zero-day fashion, showing Zimperium’s proactive approach towards unknown threats.

BlankBot exemplifies the sophisticated nature of modern mobile malware, with its advanced capabilities for screen recording, keylogging, remote control, and custom injections. However, Zimperium’s comprehensive mobile security solutions, MTD and MAPS, ensure robust protection against such threats. Our MAPS zDefend SDK empowers application developers to seamlessly integrate powerful security measures, safeguarding financial and other high-risk applications from advanced attacks., Organizations can trust that our proactive approach, which includes continuous updates to our detection algorithms and advanced machine learning models, provide unmatched detection and mitigation of both known and zero-day threats, maintaining the highest levels of mobile security.