Ever since it was first detected back in late February of this year, the Blackloan bank trojan has been affecting users in China, Vietnam and Malaysia.
Its name comes from the Android package name that its developers give to most of the detected samples: com.loan.test1.
As a vector of infection, this malware uses phishing websites on which the victim is asked to enter personal data, in addition to other data related to their credit card and bank details. These websites impersonate the pages of well-known entities, which include: Visa, Ministry of Security (in campaigns in Vietnam) or bank entities.
Through these phishing pages, the attacker tries to convince the user to enter personal data and install a supposedly official application that is actually hiding the trojan that will steal their credentials, geolocation information and text messages, among other information.
How it works
In this case, each sample of the malware is intended to steal credentials for a specific entity, not including different injections for different entities.
Depending on the country in which it has been distributed, it has impersonated different entities and, therefore, the sample has been designed to steal credentials from one entity or another, in addition to the victim's confidential data.
In the case of attacks on Chinese users, the entity the attackers chose to impersonate has been Visa.
Phishing website used in the trojan
As we can see in the previous image, the application makes the user believe that it's the legitimate Visa application, requesting their credit card details, in addition to the name of the victim and other sensitive data.
In the case of the attacks on users in Vietnam, the malware impersonates the Ministry of Public Security, requesting confidential data from the victim.
Phishing website form in the Vietnam campaign
Finally, in the Malaysian malware campaign, Blackloan has impersonated the Central Bank of Malaysia, asking victims for personal information and credentials.
Phishing form used in the Malaysian campaign
In all these campaigns, the malicious application impersonates the entity and displays a WebView that loads the page with phishing content for the corresponding entity. This WebView isn't displayed when opening the impersonated entity's legitimate application, instead, it is displayed when the user opens the malicious app.
This operating scheme is very different from the scheme used by the best-known families of banking malware, which use an accessibility service to receive the accessibility events that occur while the user interacts with the system, and which allow the malware to detect the moment in which the user opens an application of an affected entity to then display the phishing content.
In this case, the phishing is only shown when the user decides to open the malicious application.
Although the main credential theft functionality doesn't follow the usual strategy, the rest of the confidential data theft functionalities do follow the usual strategies. And, in addition to stealing credentials through phishing forms, this trojan also includes the typical spyware functionality.
It's ready to intercept sent and received text messages, in addition to sending information about the victim's call log, including the phone number they're dialing or that's making the call, the date and duration.
Code that sends the received SMS to the control server
Code to get the call log and send it to C2
Another of the information theft functionalities included in this family is the collection and sending of the contact list. It also includes the functionality that allows the attacker to monitor the victim's GPS location.
Code in charge of getting the contact list
Code in charge of obtaining the location of a device to then send said location
Blackloan is a new family detected in February of this year, its developers have focused on stealing confidential personal information from their victims, focusing mainly on credit card details.
This is the most important difference with respect to the other most popular families of banking malware, in which attackers include a fairly long list of affected entities, which also increases in size over time.
Except for the differences in the bank data strategy, the rest of the functionalities are quite similar to the spyware functionality that most of the bankers for Android usually incorporate, including functionalities such as SMS theft, theft of contacts, theft of the call log and monitoring of the device's location.
We must be aware of any new developments regarding this new family, since although it has only attacked the Asian continent, it could begin to spread to other continents, setting its sights on new entities.