On July 24, 2024, Intel 471 Malware Intelligence researchers discovered malicious Android samples that impersonated utility applications which could not be attributed to any known existing malware family (see: Figure 1). We named it BlankBot since there was no reference via open sources at the time of this report.
The first BlankBot samples were from the end of June 2024 and almost all were undetected by most antivirus software.
[Image: Blank Bot image7 - Figure 1: The image depicts a screenshot of Android package kit (APK) icons BlankBot malware used, which we captured July 29, 2024.]
Like many other Android banking trojans, BlankBot also abuses accessibility services to obtain complete control of infected devices. In particular, the malware is able to log everything that appears on the infected device, including short message service (SMS) text, sensitive information and a list of applications used. The malware also is able to conduct custom injections used to steal bank information, such as payment card data and a lock pattern for the device.
Communications between BlankBot and a controller start with a “GET” request where the hypertext transfer protocol (HTTP) headers include information about the infected device, such as the battery level, screen size, model, manufacturer and operating system (OS) version. The malware uses port 8080 via a WebSocket connection for subsequent controller communication.
At this early stage, application names and certain strings found within the application suggest it is likely the primary BlankBot targets are Turkish users. However, no specific financial institutions were identified as targets during our analysis, therefore, this malware could be distributed in campaigns against users in different countries.
The malicious app is installed, the icon is not displayed on the device launcher and the user is prompted to grant accessibility permissions accompanied by an explanation message (see: Figure 2):
“Welcome! App needs Accessibility permission to run properly. Please give accessibility permission!”
[Image: Blank Bot image2 - Figure 2: The image depicts a screenshot of the BlankBot installation process, which we captured July 29, 2024.]
The malware subsequently initiates communication with the control server by sending an HTTP “GET” request to the controller and switches to the WebSocket network connection protocol.
Once the accessibility service access is granted, BlankBot displays a black screen to the user, which indicates that the app is updating. However, the malware automatically obtains all necessary permissions in the background (see: Figure 3).
[Image: Blank Bot image3 - Figure 3: The image depicts a screenshot of a fake update screen and permissions BlankBot obtained automatically, which we captured July 29, 2024.]
If the malware is installed on a device with Android 13 or newer, BlankBot implements a session-based package installer to bypass the restricted settings feature implemented in Android 13. The bot asks the victim to allow installing applications from the third-party sources, then it retrieves the Android package kit (APK) file stored inside the application assets directory with no encryption and proceeds with the package installation process (see: Figure 4).
[Image: Blank Bot image10 - Figure 4: The image depicts a screenshot of the BlankBot payload installation phase via Android 13, which we captured July 29, 2024.]
The malware can perform screen recording using Android's MediaProjection and MediaRecorder application programming interfaces (APIs). BlankBot is able to capture a video of the device screen via the MediaProjection API and the content is saved as a moving pictures experts group (MP4) file within the application's internal storage. However, this feature apparently still is under development since the implementation changes in different samples.
BlankBot uses the MediaRecorder API to capture screen images after specifying the height and width of the infected device, the image format and the maximum number of images to be acquired. The joint photographic experts group (JPEG) images captured are Base64 encoded and sent to the remote server (see: Figure 5).
[Image: Blank Bot image5 - Figure 5: The image depicts a screenshot of malware code used to exfiltrate captured screen images, which we captured July 30, 2024.]
Like many other Android banking trojans, the use of accessibility services plays a key role in intercepting and stealing confidential information. BlankBot also abuses accessibility to retrieve data from the infected devices, such as a list of applications used, notifications, text the user types and other sensitive information that appears on the screen or the victim copies and pastes.
[Image: Blank Bot image9]
However, BlankBot uses a unique custom virtual keyboard implemented via the “InputMethodService” class that Android provides, unlike most other malware. The primary purpose of this code is to intercept and send keys the user presses on the keyboard.
[Image: Blank Bot image6 - Figure 7: The image depicts a screenshot of a malware code snippet used to send intercepted keyboard keystrokes to the controller, which we captured July 29, 2024.]
Upon a specific command received from the command-and-control (C2) server, the bot is able to create a customizable overlay based on the threat actors’ needs. The overlay could be abused to ask for banking credentials, personal information, payment card data or to steal the lock pattern. The malware developers included two external, open source libraries to implement the custom injection templates, specifically:
We simulated the control server functionality to trigger and test a wide variety of BlankBot capabilities, which include overlays. We issued a command to create three different views customized with the ING bank logo and user interface (UI) text elements displayed (see: Figure 8). Any user input was logged and promptly exfiltrated to the control server.
[Image: Blank Bot image4 - Figure 8: The image depicts a screenshot of customized overlays that our Malware Intelligence Team generated, which we captured July 30, 2024.]
BlankBot communicates with the C2 server over a WebSocket connection to exfiltrate data and receive a wide range of bot commands. Specifically, the botmaster is able to start and stop screen recording to receive a live view of the infected device display. For applications that implement a “FLAG_SECURE” security measure to prevent sensitive data leak, the botmaster can leverage a hidden virtual network (HVNC) module to exfiltrate the layout of UI elements by abusing the accessibility services. Threat actors are able to perform on-device fraud (ODF) by waking up and controlling the device remotely with different types of supported gestures, such as clicks or swipes. Additionally, BlankBot is capable of creating overlays, as described in the previous section, as well as collecting contacts, SMS text and a list of installed applications. The commands supported by the bot were described in the table below.
| Command ID | Description |
| -3 | Stop HVNC module |
| -1 | Stop screen recording |
| 1 | Start screen recording |
| 2 | Perform a gesture |
| 3 | Start HVNC module |
| 11 | Create an overlay with message |
| 12 | Request a permission or change device settings |
| 13 | Collect SMS text |
| 15 | Collect contacts |
| 16 | Send text message |
| 18 | Wake up device |
| 20 | Collect installed applications |
| 22 | Create an overlay with edit text or pattern |
| 24 | Delete an SMS text |
| 25 | Uninstall an application |
| 26 | Launch an application |
| 27 | Create an overlay for payment card data |
The malware is installed on a device and checks to determine whether it is an emulator. If the infected device is considered legitimate, it attempts to maintain persistence by preventing the user from performing a variety of actions, such as accessing the settings or antivirus applications. This is achieved using the accessibility services which monitor all events on the infected device and certain words that appear on the device screen (see: Figure 9).
[Image: Blank Bot image8 - Figure 9: The image depicts malware code BlankBot uses to maintain persistence on an infected device, which we captured July 29, 2024.]
Recent BlankBot samples were partially obfuscated and junk code was added to slow down the reverse-code engineering process, which makes it significantly more challenging for security researchers to analyze the code and understand the malware’s behavior.
[Image: Blank Bot image1 - Figure 10: The image depicts a screenshot of the same malware code BlankBot implemented in two different variants, which we captured July 29, 2024.]
BlankBot is a new Android banking trojan still under development, as evidenced by the multiple code variants observed in different applications. Regardless, the malware can perform malicious actions once it infects an Android device, which include conducting custom injection attacks, ODF or stealing sensitive data such as credentials, contacts, notifications and SMS messages.
This research aims to demonstrate how the mobile threat landscape continually evolves and how cybercriminals continue to create new types of malware to stay under the radar until receiving media attention or interest from most antivirus companies.
BlankBot APK SHA-256
BlankBot control servers
| TECHNIQUE TITLE | ID | USE |
| Collection [TA0035] | ||
| Clipboard Data | T1414 | Writes data in the user's clipboard when a specific command is received from the control server |
| Keylogging | T1417.001 | Logs keystrokes by abusing the accessibility API |
| Screen Capture | T1513 | Records screen content using the MediaProjection and MediaRecorder APIs |
| Contact List | T1636.003 | Collects and exfiltrates the device's contact list |
| SMS Messages | T1636.004 | Collects and exfiltrates SMS text from the device |
| Credential Access [TA0031] | ||
| GUI Input Capture | T1417.002 | Creates overlays to steal payment card data and pattern lock |
| Discovery [TA0032] | ||
| Software Discovery | T1418 | Retrieves a list of installed applications and exfiltrates it to the controller |
| System Information Discovery | T1426 | Collects device information such as manufacturer, model, operating system version, battery level and screen size |
| Command and Control [TA0037] | ||
| Non-Standard Port | T1509 | Communicates with the control server over a WebSocket connection on port number 8080 |
| Impact [TA0034] | ||
| Input Injection | T1516 | Abuses accessibility services to perform arbitrary actions on behalf of the user |
| SMS Control | T1582 | Sends an SMS text to a specified phone number |
| Persistence [TA0028] | ||
| Broadcast Receivers | T1624.001 | Registers the “BOOT_COMPLETED” broadcast intent to run when the device boots |
| Privilege Escalation [TA0029] | ||
| Device Administrator Permissions | T1626.001 | Asks for device administrator privileges following a specific command |
| Defense Evasion [TA0030] | ||
| Suppress Application Icon | T1628.001 | Hides the icon from the application launcher |
| Prevent Application Removal | T1629.001 | Abuses accessibility services to prevent the user from uninstalling the malware application |
| Uninstall Malicious Application | T1630.001 | Uninstalls the malware application from the infected device after a specific command |
| Virtualization/Sandbox Evasion | T1633 | Performs anti-emulation checks to avoid running in a sandbox environment |
| Exfiltration [TA0036] | ||
| Exfiltration Over Alternative Protocol | T1639 | Exfiltrates collected data via a WebSocket network communication protocol |
Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.
Malware distribution campaigns that trick people into copying and pasting malicious commands, known as ClickFix, have been wildly successful. Here's an examination of ClickFix and how to defend against it.
Payment card "checkers" are used by criminal hackers to check the validity of stolen payment card details. Here's how this in-demand underground service works.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.