{
	"id": "702646ef-2585-4780-83b3-11a6ec831b9f",
	"created_at": "2026-04-06T00:06:27.919605Z",
	"updated_at": "2026-04-10T03:35:19.862046Z",
	"deleted_at": null,
	"sha1_hash": "9fa96e91fcabeac66e99898a34416c28a67ee744",
	"title": "BlackRock - the Trojan that wanted to get them all",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125862,
	"plain_text": "BlackRock - the Trojan that wanted to get them all\r\nPublished: 2024-10-01 · Archived: 2026-04-05 12:44:33 UTC\r\nIntro\r\nAround May 2020 ThreatFabric analysts have uncovered a new strain of banking malware dubbed BlackRock that looked\r\npretty familiar. After investigation, it became clear that this newcomer is derived from the code of the Xerxes banking\r\nmalware, which itself is a strain of the LokiBot Android banking Trojan. The source code of the Xerxes malware was made\r\npublic by its author around May 2019, which means that it is accessible to any threat actor.\r\nWhen source code of malware is leaked or made publicly accessible it is pretty common to see the threat landscape being\r\nsupplemented with new malware variants or families based on the said code. We have observed similar events in the past, as\r\nfor example the infamous Bankbot Trojan code made available by its author, leading to new Trojans like CometBot, Razdel\r\nand Anubis. When Anubis itself was leaked the actor(s) behind the Ginp Trojan reused small portions of its code.\r\nHowever, when Xerxes’ source code was leaked, no new malware based on, or using portions of, such code was observed.\r\nBlackRock seems to be the only Android banking Trojan based on the source code of the Trojan at the moment.\r\nAlthough LokiBot has been considered dead and inactive for a while, we have observed attempts from some actors to get the\r\nTrojan working several times in the last years. Looking at the number of samples built for each of those campaigns and the\r\nduration of those, the actors didn’t seem to have been very successful. Therefore, we believe that those campaigns were\r\nprobably driven by new actors trying out the publicly available source code. BlackRock campaigns - on the other hand - are\r\nnot alike, not only did the Trojan undergo changes in its code, but also comes with an increased target list (containing many\r\nnon-financial apps) and have been ongoing for a longer period.\r\nTechnical aspects aside, one of the interesting differentiators of BlackRock is its target list; it contains an important number\r\nof social, networking, communication and dating applications. So far, many of those applications haven’t been observed in\r\ntarget lists for other existing banking Trojans. It therefore seems that the actors behind BlackRock are trying to abuse the\r\ngrow in online socializing that increased rapidly in the last months due to the pandemic situation.\r\nThe LokiBot malware family\r\nAs BlackRock is based on the Xerxes banking Trojan, it is part of the LokiBot descendance which has several variants, as\r\nshown hereafter.\r\nLokiBot itself was first observed between end 2016 and beginning 2017 as rented malware. Sometime after the author of the\r\nTrojan got banned from underground forums, the source code of the Trojan was leaked. During first half of\r\n2018 MysteryBot was observed to be active. Although it was based on LokiBot it contained upgrades in order to work\r\nproperly on newer Android versions and used new techniques to steal personal information. In the second half of 2018,\r\nParasite appeared on the threat landscape as direct successor of MysteryBot. It was enhanced with accessibility features and\r\nsome automated scripts (such as PayPal automated transfer scripts). In May 2019 the Xerxes Trojan first appeared, it was\r\nbased on Parasite and after some unsuccessful attempts in offering the Trojan in underground forums, the actor made it\r\npublicly available. After being used by several actors, it faded away from the threat landscape. In May 2020 BlackRock was\r\nfirst spotted.\r\nOnce the user grants the requested Accessibility Service privilege, BlackRock starts by granting itself additional\r\npermissions. Those additional permissions are required for the bot to fully function without having to interact any further\r\nwith the victim. When done, the bot is functional and ready to receive commands from the C2 server and perform the\r\noverlay attacks.\r\nCommands\r\nThe commands supported by the actual version of the bot are listed below. It gives a good overview of what the actor(s) can\r\ndo on the infected device.\r\nCommand Description\r\nSend_SMS Sends an SMS\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 1 of 15\n\nCommand Description\r\nFlood_SMS Sends an SMS to a specific number every 5 seconds\r\nDownload_SMS Sends a copy of SMS messages to C2\r\nSpam_on_contacts Sends an SMS to each of the contacts present on the infected device\r\nChange_SMS_Manager\r\nSet malware as default SMS manager (command is repeated every 30 seconds until action is\r\nachieved)\r\nRun_App Starts a specific app on the bot\r\nStartKeyLogs Logs text content shown on the screen from targets and sends it to the C2\r\nStopKeyLogs Stops logging the accessibility events from targets\r\nStartPush Send a copy of all notifications content to the C2\r\nStopPush Stops sending a copy of all notifications content to the C2\r\nHide_Screen_Lock Keeps the device on the HOME screen\r\nUnlock_Hide_Screen Unlocks the device from the HOME screen\r\nAdmin Makes the both request admin privileges\r\nProfile Adds a managed admin profile for the malware on the device\r\nStart_clean_Push Dismisses (hiding) all push notifications\r\nStop_clean_Push Stops dismissing push notifications\r\nFeatures\r\nBlackRock offers a quite common set of capabilities compared to average Android banking Trojans. It can perform the\r\ninfamous overlay attacks, send, spam and steal SMS messages, lock the victim in the launcher activity (HOME screen of the\r\ndevice), steal and hide notifications, deflect usage of Antivirus software on the device and act as a keylogger. Interestingly,\r\nthe Xerxes Trojan itself offers more features, but it seems that actors have removed some of them in order to only keep those\r\nthat they consider useful to steal personal information.\r\nThe keylogger logs the text content from apps shown on the screen and will do so for applications included in the targets\r\nlists only.\r\nThe Trojan will redirect the victim to the HOME screen of the device if the victims tries to start or use antivirus software as\r\nper a specific list including Avast, AVG, BitDefender, Eset, Symantec, TrendMicro, Kaspersky, McAfee, Avira, and even\r\napplications to clean Android devices, such as TotalCommander, SD Maid or Superb Cleaner. By doing so, the Trojan tries\r\nto avoid letting the victim remove it from the device and establish some form of persistency.\r\nBlackRock embeds following set of features, allowing it to remain under the radar and successfully harvest personal\r\ninformation:\r\nOverlaying: Dynamic (Local injects obtained from C2)\r\nKeylogging\r\nSMS harvesting: SMS listing\r\nSMS harvesting: SMS forwarding\r\nDevice info collection\r\nSMS: Sending\r\nRemote actions: Screen-locking\r\nSelf-protection: Hiding the App icon\r\nSelf-protection: Preventing removal\r\nNotifications collection\r\nGrant permissions\r\nAV detection\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 2 of 15\n\nProfiling\r\nOne functionality that is so far unique to BlackRock is that it makes usage of the Android work profiles. This Android\r\nfeature is usually used by companies to define a device policy controller (DPC) in order to control and apply policies on\r\ntheir mobile fleet. It allows to control various aspects of a device without per se having complete administration rights on all\r\naspects of the device.\r\nBlackRock abuses this feature to gain admin privileges. It simply creates and attributes itself a profile which has the admin\r\nprivileges.\r\nThe following code snippet show how the profile is created:\r\nprivate void createProfile() {\r\n try {\r\n Intent intent = new Intent(\"android.app.action.PROVISION\\_MANAGED\\_PROFILE\");\r\n if (Build.VERSION.SDK_INT \u003c 23) {\r\n intent.putExtra(\"android.app.extra.\", this.getApplicationContext().getPackageName());\r\n } else {\r\n intent.putExtra(\"android.app.extra.PROVISIONING\\_DEVICE\\_ADMIN\\_COMPONENT\\_NAME\", new ComponentName(this, Admi\r\n }\r\n if (intent.resolveActivity(this.getPackageManager()) != null) {\r\n this.startActivityForResult(intent, 101);\r\n return;\r\n }\r\n } catch (Exception e) {\r\n e.printStackTrace();\r\n return;\r\n }\r\n}\r\nOverlay attack\r\nBlackRock abuses the Accessibility Service to check which application runs in the foreground. Like the Ginp Android\r\nbanking Trojan, BlackRock has two types of overlay screens, one is a generic card grabber view and the other is specific per\r\ntargeted app - credential phishing overlay. Both target lists can be found in the appendix of this blog.\r\nThe following code snippet shows how the overlay WebView is created:\r\nprotected void onStart() {\r\n super.onStart();\r\n SharedPreferences.Editor editor = PreferenceManager.getDefaultSharedPreferences(this).edit();\r\n editor.putBoolean(\"injActive\", true);\r\n editor.commit();\r\n String packageName = this.getIntent().getStringExtra(\"str\");\r\n String injURL = this.getFilesDir().getAbsolutePath() + File.separator;\r\n try {\r\n this.webView = new WebView(this);\r\n this.webView.getSettings().setJavaScriptEnabled(true);\r\n this.webView.setScrollBarStyle(0);\r\n this.webView.setWebChromeClient(new WebChromeClient());\r\n this.webView.addJavascriptInterface(new JSInterface(this, packageName), \"Android\");\r\n this.webView.setWebViewClient(new Inject.a(this));\r\n this.webView.loadUrl(\"file:///\" + injURL + packageName + \"/index.html\");\r\n this.setContentView(this.webView);\r\n this.webView.setWebViewClient(new Inject.b(this, packageName));\r\n } catch (Exception e) {\r\n e.printStackTrace();\r\n }\r\n}\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 3 of 15\n\nAs shown in the previous code snippet, the URL of the overlay points to local files rather than a web location. This is a\r\nfeature that is inherited from Xerxes, which downloads an archive with all the targets overlays files on the infected device.\r\nBlackRock does it somehow differently by downloading a separate archive for each targeted app installed on the device.\r\nFollowing screenshots show some of the credential phishing overlays:\r\nConclusion\r\nAlthough we’ve observed a steady increase in the number of new banking Trojans since 2014, 2020 shows an interesting\r\nincrease again after a quite calm 2019. As stated in our blog 2020 - Year of the RAT not only are there more new Android\r\nbanking Trojans, but some of them also bring innovative new features. Most of them start embedding features, allowing the\r\ncriminals to take remote control of the infected device (RAT) and sometimes even to automatically perform the fraud from\r\nthe infected device (ATS). In the case of BlackRock, the features are not very innovative but the target list has a large\r\ninternational coverage and it contains quite a lot of new targets which haven’t been seen being targeted before.\r\nAlthough BlackRock poses a new Trojan with an exhaustive target list, looking at previous unsuccessful attempts of actors\r\nto revive LokiBot through new variants, we can’t yet predict how long BlackRock will be active on the threat landscape.\r\nWhat can be considered as true is that the number of new banking Trojans will continue to grow, bringing new\r\nfunctionalities to increase the success rate of fraud while fraud becomes a growing risk even for consumers not using mobile\r\nbanking - as we can see with BlackRock targeting 3rd party apps.\r\nThe second half of 2020 will come with its surprises, after Alien, Eventbot and BlackRock we can expect that financially\r\nmotivated threat actors will build new banking Trojans and continue improving the existing ones. With the changes that we\r\nexpect to be made to mobile banking Trojans, the line between banking malware and spyware becomes thinner, banking\r\nmalware will pose a threat for more organizations and their infrastructure, an organic change that we observed on windows\r\nbanking malware years ago.\r\nThe most important aspect to take care of is securing the online banking channels, making fraud hard to perform, therefore\r\ndiscouraging criminals to make more malware.\r\nMobile Threat Intelligence\r\nOur threat intelligence solution – MTI, provides the context and in-depth knowledge of the past and present malware-powered threats in order to understand the future of the threat landscape. Such intelligence, includes both the strategic\r\noverview on trends and the operational indicators to discern early signals of upcoming threats and build a future-proof\r\nsecurity strategy.\r\nClient Side Detection\r\nOur online fraud detection solution – CSD, presents financial institutions with the real-time overview on the risk status of\r\ntheir online channels and related devices. This overview provides all the relevant information and context to act upon threats\r\nbefore they turn into fraud. The connectivity with existing risk or fraud engines allows for automated and orchestrated,\r\nround the clock fraud mitigation.\r\nAppendix\r\nSamples\r\nSome of the latest BlackRock samples found in the wild:\r\nApp\r\nname\r\nPackage name SHA-256 hash\r\nGoogle\r\nUpdate\r\nayxzygxgagiqhdnjnfduerzbeh.hme.egybgkeziplb 51f9c37c3eec0b6f8325aa1c8fe64a0615ab920584042df557426\r\nGoogle\r\nUpdate\r\ncmbmpqod.bfrtuduawoyhr.mlmrncmjbdecuc 6fa4baef8a811f429cee4b383d7a4776b7b363b62551c8d8e0f93\r\nGoogle\r\nUpdate\r\nfpjwhqsl.dzpycoeasyhs.cwnporwocambskrxcxiug 7d34aaf84754fb247507681bcd821f9533f24c6d78aa6779a11f4\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 4 of 15\n\nApp\r\nname\r\nPackage name SHA-256 hash\r\nGoogle\r\nUpdate\r\nonpekpikylb.bcgdhxgzwd.dzlecjglpigjuc 81fda9ff99aec1b6f7b328652e330d304fb18ee74e0dbd0b759ac\r\nGoogle\r\nUpdate\r\nezmjhdiumgiyhfjdp.bjucshsqxhkigwyqqma.gqncehdcknrtcekingi fbaf785edfafa583ea61884d88f507a27154892a394e27d81102f7\r\nCredential theft target list\r\nThe actual BlacRock target list used for credential theft contains 226 applications:\r\nApp name Package name\r\nTransferWise Money Transfer com.transferwise.android\r\nPayPal Mobile Cash: Send and\r\nRequest Money Fast\r\ncom.paypal.android.p2pmobile\r\nPayoneer – Global Payments\r\nPlatform for Businesses\r\ncom.payoneer.android\r\nNETELLER - fast, secure and\r\nglobal money transfers\r\ncom.moneybookers.skrillpayments.neteller\r\nEO.Finance: Buy and Sell Bitcoin.\r\nCrypto Wallet\r\ncom.eofinance\r\nAzimo Money Transfer com.azimo.sendmoney\r\nePayments: wallet \u0026 bank card clientapp.swiftcom.org\r\nYahoo Mail – Organized Email com.yahoo.mobile.client.android.mail\r\nMicrosoft Outlook: Organize Your\r\nEmail \u0026 Calendar\r\ncom.microsoft.office.outlook\r\nmail.com mail com.mail.mobile.android.mail\r\nGmail com.google.android.gm\r\nGoogle Play services com.google.android.gms\r\nConnect for Hotmail \u0026 Outlook:\r\nMail and Calendar\r\ncom.connectivityapps.hotmail\r\nUber - Request a ride com.ubercab\r\nNetflix com.netflix.mediaclient\r\neBay: Buy, sell, and save money\r\non home essentials\r\ncom.ebay.mobile\r\nAmazon Seller com.amazon.sellermobile.android\r\nAmazon Shopping - Search, Find,\r\nShip, and Save\r\ncom.amazon.mShop.android.shopping\r\nSkrill - Fast, secure online\r\npayments\r\ncom.moneybookers.skrillpayments\r\nBlockchain Wallet. Bitcoin,\r\nBitcoin Cash, Ethereum\r\npiuk.blockchain.android\r\nBitcoin Wallet Coincheck jp.coincheck.android\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 5 of 15\n\nApp name Package name\r\nEthos Universal Wallet io.ethos.universalwallet\r\nIndodax id.co.bitcoin\r\nWazirX - Buy Sell Bitcoin \u0026\r\nOther Cryptocurrencies\r\ncom.wrx.wazirx\r\nUnocoin Wallet com.unocoin.unocoinwallet\r\nCash App com.squareup.cash\r\nBitcoin Wallet - Buy BTC com.polehin.android\r\nPlus500: CFD Online Trading on\r\nForex and Stocks\r\ncom.Plus500\r\nPAYEER com.payeer\r\nPaxful Bitcoin Wallet com.paxful.wallet\r\nParibu com.paribu.app\r\nMycelium Bitcoin Wallet com.mycelium.wallet\r\nEXMO Official - Trading crypto\r\non the exchange\r\ncom.exmo\r\nCoinbase – Buy \u0026 Sell Bitcoin.\r\nCrypto Wallet\r\ncom.coinbase.android\r\nBtcTurk Bitcoin Borsası com.btcturk\r\nBitPay – Secure Bitcoin Wallet com.bitpay.wallet\r\nAplikacja Bitmarket com.bitmarket.trader\r\nBitfinex com.bitfinex.mobileapp\r\nBinance - Buy \u0026 Sell Bitcoin\r\nSecurely\r\ncom.binance.dev\r\nBitcoin Wallet - Airbitz com.airbitz\r\nEdge - Bitcoin, Ethereum,\r\nMonero, Ripple Wallet\r\nco.edgesecure.app\r\nbitbank - Bitcoin \u0026 Ripple Wallet cc.bitbank.bitbank\r\nBank of Scotland Business Mobile\r\nBanking\r\nuk.co.bankofscotland.businessbank\r\nWestpac Mobile Banking org.westpac.bank\r\nBankSA Mobile Banking org.banksa.bank\r\nSt.George Tablet Banking org.banking.tablet.stgeorge\r\nMes Comptes BNP Paribas net.bnpparibas.mescomptes\r\nSantander Mobile Banking mobile.santander.de\r\nSpeedway Fuel \u0026 Speedy\r\nRewards\r\ncom.speedway.mobile\r\nRBS Investor \u0026 Media Relations com.rbs.mobile.investisir\r\nUlster Bank RI Mobile Banking com.rbs.mobile.android.ubr\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 6 of 15\n\nApp name Package name\r\nRBS Business Banking com.rbs.mobile.android.rbsbandc\r\nRoyal Bank of Scotland Mobile\r\nBanking\r\ncom.rbs.mobile.android.rbs\r\nNatWest International com.rbs.mobile.android.natwestoffshore\r\nNatWest Business Banking com.rbs.mobile.android.natwestbandc\r\nNatWest Mobile Banking com.rbs.mobile.android.natwest\r\nRBS com.phyder.engage\r\nLloyds Bank Business Mobile\r\nBanking\r\ncom.lloydsbank.businessmobile\r\nING-DiBa Banking + Brokerage com.ing.diba.mbbr2\r\nTSBBank Mobile Banking com.ifs.banking.fiid4202\r\nBANKWEST OF KANSAS com.ifs.banking.fiid3767\r\nHSBC Mobile Banking com.htsu.hsbcpersonalbanking\r\nBank of Scotland Mobile Banking:\r\nsecure on the go\r\ncom.grppl.android.shell.BOS\r\nGaranti CepBank com.garanti.cepbank\r\nTSB Mobile com.fi6122.godough\r\nVolume Control + com.cb.volumePlus\r\nBarclays com.barclays.android.barclaysmobilebanking\r\nANZ Spot com.anzspot.mobile\r\n- com.anz.SingaporeDigitalBanking\r\nANZ Mobile Taiwan com.anz.android\r\nAkbank Direkt Şifreci com.akbank.softotp\r\nGaranti BBVA Cep Şifrematik biz.mobinex.android.apps.cep_sifrematik\r\nING España. Banca Móvil www.ingdirect.nativeframe\r\nBROU Llave Digital uy.com.brou.token\r\nApp Móvil del Banco República uy.brou\r\nTSB Mobile Banking uk.co.tsb.newmobilebank\r\nSantander Mobile Banking uk.co.santander.santanderUK\r\nHSBC UK Mobile Banking uk.co.hsbc.hsbcukmobilebanking\r\nŞEKER MOBİL ŞUBE tr.com.sekerbilisim.mbank\r\nHSBC Turkey tr.com.hsbc.hsbcturkey\r\nPeoPay softax.pekao.powerpay\r\nPostepay posteitaliane.posteapp.apppostepay\r\nIKO pl.pkobp.iko\r\nMój Orange pl.orange.mojeorange\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 7 of 15\n\nApp name Package name\r\nmBank PL pl.mbank\r\nMoje ING mobile pl.ing.mojeing\r\nIFIRMA - Darmowy Program do\r\nFaktur\r\npl.ifirma.ifirmafaktury\r\nFakturownia.pl pl.fakturownia\r\nRossmann PL pl.com.rossmann.centauros\r\nCeneo - zakupy i promocje pl.ceneo\r\nSantander mobile pl.bzwbk.bzwbk24\r\nAllegro - convenient and secure\r\nonline shopping\r\npl.allegro\r\nErste MobilBank pegasus.project.ebh.mobile.android.bundle.mobilebank\r\nInterbank APP pe.com.interbank.mobilebanking\r\nSt.George Mobile Banking org.stgeorge.bank\r\nBanco Sabadell App. Your mobile\r\nbank\r\nnet.inverline.bancosabadell.officelocator.android\r\nMaybank2u MY my.com.maybank2u.m2umobile\r\nL’Appli Société Générale mobi.societegenerale.mobile.lappli\r\nPocket Bank ma.gbp.pocketbank\r\n楽天銀行 -個人のお客様向けア\r\nプリ\r\njp.co.rakuten_bank.rakutenbank\r\nSCRIGNOapp it.popso.SCRIGNOapp\r\nUBI Banca it.nogood.container\r\nING Italia it.ingdirect.app\r\nBanca MPS it.copergmps.rt.pf.android.sp.bmps\r\nBNL it.bnl.apps.banking\r\nMKB Mobilalkalmazás hu.mkb.mobilapp\r\nErste Business MobilBank hu.cardinal.erste.mobilapp\r\nCIB Business Online hu.cardinal.cib.mobilapp\r\nBudapest Bank Mobil App hu.bb.mobilapp\r\nBi en Línea gt.com.bi.bienlinea\r\nMes Comptes - LCL fr.lcl.android.customerarea\r\nMa Banque fr.creditagricole.androidapp\r\nBanque Populaire fr.banquepopulaire.cyberplus\r\nEnpara.com Cep Şubesi finansbank.enpara\r\nHVB Mobile Banking eu.unicreditgroup.hvbapptan\r\nPekaoBiznes24 eu.eleader.mobilebanking.pekao.firm\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 8 of 15\n\nApp name Package name\r\nPekao24Makler eu.eleader.mobilebanking.pekao\r\nplusbank24 eu.eleader.mobilebanking.invest\r\nUnicajaMovil es.univia.unicajamovil\r\nPibank es.pibank.customers\r\nOpenbank – banca móvil es.openbank.mobile\r\nBanca Digital Liberbank es.liberbank.cajasturapp\r\nCaixaBank es.lacaixa.mobile.android.newwapicon\r\nIbercaja es.ibercaja.ibercajaapp\r\nEVO Banco móvil es.evobanco.bancamovil\r\nBankia es.cm.android\r\nCajalnet es.ceca.cajalnet\r\nBanco Caixa Geral España es.caixageral.caixageralapp\r\nABANCA- Banca Móvil es.caixagalicia.activamovil\r\nSantander Empresas es.bancosantander.empresas\r\ntractorpool de.traktorpool\r\nPostbank Finanzassistent de.postbank.finanzassistent\r\nN26 — The Mobile Bank de.number26.android\r\nmobile.de – Germany‘s largest car\r\nmarket\r\nde.mobile.android.app\r\nING Banking to go de.ingdiba.bankingapp\r\nVR Banking Classic de.fiducia.smartphone.android.banking.vr\r\nDKB-Banking de.dkb.portalapp\r\nConsorsbank de.consorsbank\r\nCommerzbank Banking - The app\r\nat your side\r\nde.commerzbanking.mobil\r\ncomdirect mobile App de.comdirect.android\r\nBanco Santander Perú S.A. com.zoluxiones.officebanking\r\nZiraat Mobile com.ziraat.ziraatmobil\r\nYapı Kredi Mobile com.ykb.android\r\nWells Fargo Mobile com.wf.wellsfargomobile\r\nVakıfBank Mobil Bankacılık com.vakifbank.mobile\r\n- com.uy.itau.appitauuypfcom.usbank.mobilebankingcom.usaa.mobile.android.usaa\r\nMobile Banking UniCredit com.unicredit\r\nHalkbank Mobil com.tmobtech.halkbank\r\nTide - Smart Mobile Banking com.tideplatform.banking\r\nBanca Móvil Laboral Kutxa com.tecnocom.cajalaboral\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 9 of 15\n\nApp name Package name\r\nCEPTETEB com.teb\r\nTARGOBANK Mobile Banking com.targo_prod.bad\r\nSunTrust Mobile App com.suntrust.mobilebanking\r\nSparkasse Ihre mobile Filiale com.starfinanz.smob.android.sfinanzstatus\r\nIDBI Bank GO Mobile+ com.snapwork.IDBI\r\nSCB EASY com.scb.phone\r\nYono Lite SBI - Mobile Banking com.sbi.SBIFreedomPlus\r\nSantander Private Banking com.santander.bpi\r\nruralvía com.rsi\r\nRBC Mobile com.rbc.mobile.android\r\nLiquid by Quoineライト版（リ\r\nキッドバイコイン） -ビットコ\r\nインなどの仮想通貨取引所\r\ncom.quoine.quoinex.light\r\nPTTBank com.pttfinans\r\nİşCep - Mobile Banking com.pozitron.iscep\r\nBill Payment \u0026 Recharge,Wallet com.oxigen.oxigenwallet\r\nPapara com.mobillium.papara\r\nBHIM UPI, Money Transfer,\r\nRecharge \u0026 Bill Payment\r\ncom.mobikwik_new\r\nOdeabank com.magiclick.odeabank\r\nYouApp com.lynxspa.bancopopolare\r\nIntesa Sanpaolo Mobile com.latuabancaperandroid\r\nKuveyt Türk com.kuveytturk.mobil\r\nKutxabank com.kutxabank.android\r\nKMA com.krungsri.kma\r\nCapital One® Mobile com.konylabs.capitalone\r\nK PLUS com.kasikorn.retail.mbanking.wap\r\nING France com.IngDirectAndroid\r\nING Mobil com.ingbanktr.ingmobil\r\nBank of America Mobile Banking com.infonow.bofa\r\nTriodos Bank. Banca Móvil com.indra.itecban.triodosbank.mobile.banking\r\nNBapp Spain com.indra.itecban.mobile.novobanco\r\nimaginBank - Your mobile bank com.imaginbank.app\r\nhapoalim.ideomobile.comבנק הפועלים - ניהול החשבון\r\nGrupo Cajamar com.grupocajamar.wefferent\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 10 of 15\n\nApp name Package name\r\nHalifax: the banking app that gives\r\nyou extra\r\ncom.grppl.android.shell.halifax\r\nLloyds Bank Mobile Banking: by\r\nyour side\r\ncom.grppl.android.shell.CMBlloydsTSB73\r\nビットコイン・暗号資産（仮想\r\n通貨）ウォレットアプリ GMO\r\nコイン｜チャート・購入・レバ\r\nレッジ取引\r\ncom.gmowallet.mobilewallet\r\nGaranti BBVA Mobile com.garanti.cepsubesi\r\nCA24 Mobile com.finanteq.finance.ca\r\nEmpik Foto com.empik.empikfoto\r\nEmpik com.empik.empikapp\r\nDiscover Mobile com.discoverfinancial.mobile\r\nMobilDeniz com.denizbank.mobildeniz\r\nDeutsche Bank Mobile com.db.pwcc.dbmobile\r\nMi Banco db com.db.pbc.mibanco\r\nLa Mia Banca com.db.pbc.miabanca\r\nnorisbank App com.db.mm.norisbank\r\niMobile by ICICI Bank com.csam.icici.bank.imobile\r\nCommBank com.commbank.netbank\r\nCrédit Mutuel com.cm_prod.bad\r\nFifth Third Mobile Banking com.clairmail.fth\r\nCIMB Clicks Malaysia com.cimbmalaysia\r\nCIBC Mobile Banking® com.cibc.android.mobi\r\nChase Mobile com.chase.sig.android\r\nCajasur com.cajasur.android\r\nBanque com.caisseepargne.android.mobilebanking\r\nBoursorama Banque com.boursorama.android.clients\r\nBMO Mobile Banking com.bmo.mobile\r\nBanca Móvil BCP com.bcp.bank.bcp\r\nBBVA Perú com.bbva.nxt_peru\r\nBBVA Net Cash | ES \u0026 PT com.bbva.netcash\r\nBBVA Spain com.bbva.bbvacontigo\r\nBankinter Móvil com.bankinter.launcher\r\nBankinter Empresas com.bankinter.empresas\r\nmyAT\u0026T com.att.myWireless\r\nAmOnline com.ambank.ambankonline\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 11 of 15\n\nApp name Package name\r\nAlbaraka Mobile Banking com.albarakaapp\r\nAkbank com.akbank.android.apps.akbank_direkt\r\nOTP SmartBank com.aff.otpdirekt\r\nABN AMRO Mobiel Bankieren com.abnamro.nl.mobile.payments\r\nABANCA Empresas com.abanca.bancaempresas\r\nInvoice Maker: Estimate \u0026\r\nInvoice App\r\ncom.aadhk.woinvoice\r\nAutoScout24 Switzerland – Find\r\nyour new car\r\nch.autoscout24.autoscout24\r\nNAB Mobile Banking au.com.nab.mobile\r\nING Australia Banking au.com.ingdirect.android\r\nWiZink, tu banco senZillo app.wizink.es\r\nUsługi Bankowe alior.bankingapp.android\r\nQNB Finansbank Mobile Banking com.finansbank.mobile.cepsube\r\nCredit Card theft target list\r\nThe actual BlacRock target list used for credit card theft contains 111 applications:\r\nApp name Package name\r\nTelegram org.telegram.messenger\r\nViber Messenger - Messages, Group Chats \u0026 Calls com.viber.voip\r\nWhatsApp Messenger com.whatsapp\r\nWhatsApp Business com.whatsapp.w4b\r\nTwitter com.twitter.android\r\nTwitter Lite com.twitter.android.lite\r\nSnapchat com.snapchat.android\r\nSkype - free IM \u0026 video calls com.skype.raider\r\nSkype Lite - Free Video Call \u0026 Chat com.skype.m2\r\nSkype for Business for Android com.microsoft.office.lync15\r\nInstagram com.instagram.android\r\nimo free video calls and chat com.imo.android.imoim\r\nimo beta free calls and text com.imo.android.imoimbeta\r\nimo HD-Free Video Calls and Chats com.imo.android.imoimhd\r\nMessenger – Text and Video Chat for Free com.facebook.orca\r\nFacebook com.facebook.katana\r\nMessenger Lite: Free Calls \u0026 Messages com.facebook.mlite\r\nFacebook Lite com.facebook.lite\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 12 of 15\n\nApp name Package name\r\nPlay Store com.android.vending\r\nYouTube com.google.android.youtube\r\nPlayStation Messages - Check your online friends com.playstation.mobilemessenger\r\nUplive - Live Video Streaming App com.asiainno.uplive\r\nFiesta by Tango - Find, Meet and Make New Friends com.sgiggle.mango\r\nHoop - New friends on Snapchat com.dazz.hoop\r\nLivU: Meet new people \u0026 Video chat with strangers com.videochat.livu\r\nMICO Chat: Make New Friends \u0026 Live Chat com.mico\r\nCrowdfire: Social Media Manager com.justunfollow.android\r\nSKOUT - Meet, Chat, Go Live com.skout.android\r\nLP: Live Stream Video Dating \u0026 Chat ru.loveplanet.app\r\nSurge: Gay Dating \u0026 Chat com.lavendrapp.lavendr\r\nLOVELY – Your Dating App To Meet Singles Nearby com.pinkapp\r\nVK — live chatting \u0026 free calls com.vkontakte.android\r\nAmberfog for VK com.amberfog.vkfree\r\nV LIVE com.naver.vapp\r\nWe Heart It com.weheartit\r\nVideo Chat W-Match : Dating App, Meet \u0026 Video Chat com.waplogmatch.social\r\nReddit com.reddit.frontpage\r\nTango - Live Video Broadcasts com.sgiggle.production\r\nJAUMO Dating – Flirt With Local Singles com.jaumo\r\nFree Dating com.mobile.android.eris\r\nTopface - Dating Meeting Chat com.topface.topface\r\nDISCO 🏳️‍🌈 Gay Dating \u0026 Gay Chat for Homosexuals com.jaumo.gay\r\nMail.Ru Dating ru.mail.love\r\nAirtripp:Free Foreign Chat com.taptrip\r\nAmino Anime Russian аниме и манга com.narvii.amino.x156542274\r\nBigo Live - Live Stream, Live Video \u0026 Live Chat sg.bigo.live\r\nBIGO LIVE Lite – Live Stream sg.bigo.live.lite\r\nWaplog - Dating App to Chat \u0026 Meet New People com.waplog.social\r\nSPICY 🌶 Lesbian Chat \u0026 Dating com.jaumo.lesbian\r\nVK Live com.vk.stream\r\nPeriscope - Live Video tv.periscope.android\r\nHornet - Gay Social Network com.hornet.android\r\nMy World. Movies. Games ru.mail.my\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 13 of 15\n\nApp name Package name\r\nTumblr com.tumblr\r\nBadoo — Dating App to Chat, Date \u0026 Meet New\r\nPeople\r\ncom.badoo.mobile\r\nBLOOM — Premium Dating \u0026 Find Real Love com.jaumo.prime\r\nIGTV com.instagram.igtv\r\nНочной ВК com.amberfog.reader\r\nGalaxy - Chat Rooms: Meet New People Online \u0026\r\nDate\r\nru.mobstudio.andgalaxy\r\nAmino: Communities and Chats com.narvii.amino.master\r\nASKfm - Ask Me Anonymous Questions com.askfm\r\nKate Mobile for VK com.perm.kate_new_6\r\nF3 - Make new friends, Anonymous questions, Chat cool.f3\r\nAll social media and social networks in one app com.web_view_mohammed.ad.webview_app\r\nАнонимный чат NektoMe com.nektome.talk\r\nPinterest com.pinterest\r\nGet new friends on local chat rooms drug.vokrug\r\nOK ru.ok.android\r\nMamba - Online Dating App: Find 1000s of Single ru.mamba.client\r\nGoogle Play Books - Ebooks, Audiobooks, and Comics com.google.android.apps.books\r\nGoogle Play Music com.google.android.music\r\nGoogle Play Movies \u0026 TV com.google.android.videos\r\nHangouts com.google.android.talk\r\nGoogle Pay: Pay with your phone and send cash com.google.android.apps.walletnfcrel\r\nCatfiz Messenger com.catfiz\r\nTabor - Знакомства ru.tabor.search\r\nVideo Downloader for TikTok - TikMate tikmate.tiktokvideodownloader.savetiktokvideo.nowatermark\r\nTikTok - Make Your Day com.zhiliaoapp.musically\r\nTikTok Lite com.zhiliaoapp.musically.go\r\nWeChat com.tencent.mm\r\nClonApp - Dual Messenger for WhatsApp Story Saver com.bluesoft.clonappmessenger\r\nGlide - Video Chat Messenger com.glidetalk.glideapp\r\nTelegram X org.thunderdog.challegram\r\nKakaoTalk: Free Calls \u0026 Text com.kakao.talk\r\nSOMA free video call and chat com.instanza.baba\r\nBiP – Messaging, Voice and Video Calling com.turkcell.bip\r\nVidogram org.vidogram.messenger\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 14 of 15\n\nApp name Package name\r\nBGram org.telegram.BifToGram\r\nGraph Messenger ir.ilmili.telegraph\r\nKik kik.android\r\nMessenger Messenger Messenger messenger.pro.messenger\r\nfree video calls and chat ru.mail\r\nFaster for Facebook com.nbapstudio.facebooklite\r\nMessenger com.aleskovacic.messenger\r\nPinngle Safe Messenger: Free Calls \u0026 Video Chat com.beint.pinngle\r\nSocial Messenger: Free Mobile Calling, Live Chats com.messagingnew.allinone\r\nICQ New: Instant Messenger \u0026 Group Video Calls com.icq.mobile.client\r\nPlus Messenger org.telegram.plus\r\nTamTam Messenger - free chats \u0026 video calls ru.ok.messages\r\nCoco com.instanza.cocovoice\r\nMessenger messenger.social.chat.apps\r\nFast for Facebook \u0026 Messenger com.messenger.superiorstudio\r\nAzar com.azarlive.android\r\nBermuda Video Chat - Meet New People vixr.bermuda\r\nFachat: Video Chat with New People Online com.fachat.freechat\r\nMeetMe: Chat \u0026 Meet New People com.myyearbook.m\r\nOK Live - video livestreams ru.ok.live\r\nTinder com.tinder\r\nTumile - Meet new people via free video chat com.rcplatform.livechat\r\nBlued - LIVE Gay Dating, Chat \u0026 Video Call to Guys com.blued.international\r\nGrindr - Gay chat com.grindrapp.android\r\nSource: https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nhttps://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html\r\nPage 15 of 15\n\n https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html  \nApp name  Package name \nAlbaraka Mobile Banking com.albarakaapp \nAkbank  com.akbank.android.apps.akbank_direkt \nOTP SmartBank  com.aff.otpdirekt \nABN AMRO Mobiel Bankieren com.abnamro.nl.mobile.payments \nABANCA Empresas  com.abanca.bancaempresas \nInvoice Maker: Estimate \u0026  \n  com.aadhk.woinvoice \nInvoice App   \nAutoScout24 Switzerland-Find  \n  ch.autoscout24.autoscout24 \nyour new car   \nNAB Mobile Banking au.com.nab.mobile \nING Australia Banking au.com.ingdirect.android \nWiZink, tu banco senZillo app.wizink.es \nUsługi Bankowe  alior.bankingapp.android \nQNB Finansbank Mobile Banking com.finansbank.mobile.cepsube \nCredit Card theft target list  \nThe actual BlacRock target list used for credit card theft contains 111 applications:\nApp name   Package name\nTelegram   org.telegram.messenger\nViber Messenger -Messages, Group Chats \u0026 Calls com.viber.voip\nWhatsApp Messenger   com.whatsapp\nWhatsApp Business   com.whatsapp.w4b\nTwitter   com.twitter.android\nTwitter Lite   com.twitter.android.lite\nSnapchat   com.snapchat.android\nSkype-free IM \u0026 video calls  com.skype.raider\nSkype Lite- Free Video Call \u0026 Chat com.skype.m2\nSkype for Business for Android  com.microsoft.office.lync15\nInstagram   com.instagram.android\nimo free video calls and chat  com.imo.android.imoim\nimo beta free calls and text  com.imo.android.imoimbeta\nimo HD-Free Video Calls and Chats com.imo.android.imoimhd\nMessenger- Text and Video Chat for Free com.facebook.orca\nFacebook   com.facebook.katana\nMessenger Lite: Free Calls \u0026 Messages com.facebook.mlite\nFacebook Lite   com.facebook.lite\n   Page 12 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html"
	],
	"report_names": [
		"blackrock_the_trojan_that_wanted_to_get_them_all.html"
	],
	"threat_actors": [
		{
			"id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3",
			"created_at": "2022-10-25T16:07:23.729215Z",
			"updated_at": "2026-04-10T02:00:04.729076Z",
			"deleted_at": null,
			"main_name": "Indra",
			"aliases": [],
			"source_name": "ETDA:Indra",
			"tools": [
				"Stardust"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e",
			"created_at": "2026-03-16T02:02:50.582318Z",
			"updated_at": "2026-04-10T02:00:03.777263Z",
			"deleted_at": null,
			"main_name": "COASTLIGHT",
			"aliases": [
				"Gonjeshke Darande",
				"Indra",
				"Predatory Sparrow"
			],
			"source_name": "Secureworks:COASTLIGHT",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "219ddb41-2ea8-4121-8b63-8c762f7e15df",
			"created_at": "2023-01-06T13:46:39.384442Z",
			"updated_at": "2026-04-10T02:00:03.309654Z",
			"deleted_at": null,
			"main_name": "Predatory Sparrow",
			"aliases": [
				"Indra",
				"Gonjeshke Darande"
			],
			"source_name": "MISPGALAXY:Predatory Sparrow",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433987,
	"ts_updated_at": 1775792119,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9fa96e91fcabeac66e99898a34416c28a67ee744.pdf",
		"text": "https://archive.orkl.eu/9fa96e91fcabeac66e99898a34416c28a67ee744.txt",
		"img": "https://archive.orkl.eu/9fa96e91fcabeac66e99898a34416c28a67ee744.jpg"
	}
}