Blackloan: Banking Malware Affecting Asian Countries

Ever since it was first detected back in late February of this year, the Blackloan bank trojan has been affecting users in China, Vietnam and Malaysia.

Its name comes from the Android package name that its developers give to most of the detected samples:


As a vector of infection, this malware uses phishing websites on which the victim is asked to enter personal data, in addition to other data related to their credit card and bank details. These websites impersonate the pages of well-known entities, which include: Visa, Ministry of Security (in campaigns in Vietnam) or bank entities.


Through these phishing pages, the attacker tries to convince the user to enter personal data and install a supposedly official application that is actually hiding the trojan that will steal their credentials, geolocation information and text messages, among other information.


How it works

Unlike other bank trojans we've talked about on other occasions, such as Cerberus, Eventbot or GINP, Blackloan doesn't use a strategy based on overlays to steal the credentials of its victims.

In this case, each sample of the malware is intended to steal credentials for a specific entity, not including different injections for different entities.

Depending on the country in which it has been distributed, it has impersonated different entities and, therefore, the sample has been designed to steal credentials from one entity or another, in addition to the victim's confidential data.

In the case of attacks on Chinese users, the entity the attackers chose to impersonate has been Visa.


Phishing website used in the trojan

As we can see in the previous image, the application makes the user believe that it's the legitimate Visa application, requesting their credit card details, in addition to the name of the victim and other sensitive data.

In the case of the attacks on users in Vietnam, the malware impersonates the Ministry of Public Security, requesting confidential data from the victim.


Phishing website form in the Vietnam campaign

Finally, in the Malaysian malware campaign, Blackloan has impersonated the Central Bank of Malaysia, asking victims for personal information and credentials.


Phishing form used in the Malaysian campaign

In all these campaigns, the malicious application impersonates the entity and displays a WebView that loads the page with phishing content for the corresponding entity. This WebView isn't displayed when opening the impersonated entity's legitimate application, instead, it is displayed when the user opens the malicious app.

This operating scheme is very different from the scheme used by the best-known families of banking malware, which use an accessibility service to receive the accessibility events that occur while the user interacts with the system, and which allow the malware to detect the moment in which the user opens an application of an affected entity to then display the phishing content.

In this case, the phishing is only shown when the user decides to open the malicious application.

Although the main credential theft functionality doesn't follow the usual strategy, the rest of the confidential data theft functionalities do follow the usual strategies. And, in addition to stealing credentials through phishing forms, this trojan also includes the typical spyware functionality.

It's ready to intercept sent and received text messages, in addition to sending information about the victim's call log, including the phone number they're dialing or that's making the call, the date and duration.


Code that sends the received SMS to the control server


Code to get the call log and send it to C2


Another of the information theft functionalities included in this family is the collection and sending of the contact list. It also includes the functionality that allows the attacker to monitor the victim's GPS location.


Code in charge of getting the contact list



Code in charge of obtaining the location of a device to then send said location



Blackloan is a new family detected in February of this year, its developers have focused on stealing confidential personal information from their victims, focusing mainly on credit card details.

This is the most important difference with respect to the other most popular families of banking malware, in which attackers include a fairly long list of affected entities, which also increases in size over time.

Except for the differences in the bank data strategy, the rest of the functionalities are quite similar to the spyware functionality that most of the bankers for Android usually incorporate, including functionalities such as SMS theft, theft of contacts, theft of the call log and monitoring of the device's location.

We must be aware of any new developments regarding this new family, since although it has only attacked the Asian continent, it could begin to spread to other continents, setting its sights on new entities.


Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of buguroo’s development team, managing task distribution and negotiating with the Head of Technology.



bugFraud detects a phishing redirect or overlay (cloned page) attack from the moment a customer clicks on a link or has their navigation redirected. In addition to preventing customers from becoming victims bugFraud also alerts the organization so mitigating actions can be taken – from stepping-up login authentications, stopping the session or locking the account.




buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video