Overlay assault. BlackRock abuses the Accessibility Service to check on which application operates into the foreground.
BlackRock abuses the Accessibility Service to test which application runs when you look at the foreground. Just like the Ginp Android banking Trojan, BlackRock has 2 kinds of overlay displays, one is a generic card grabber view together with other is particular per targeted application – credential phishing overlay. Both target listings are located in the appendix of the weblog.
The after rule snippet shows the way the overlay WebView is established:
As shown in the last code snippet, the Address regarding the overlay points to neighborhood files instead of a internet location. This might be an element this is certainly inherited from Xerxes, which downloads an archive while using the goals overlays files from the device that is infected. BlackRock does it somehow differently by getting an archive that is escort Fort Lauderdale separate each targeted software installed from the unit.
After screenshots reveal a few of the phishing that is credential: