{ "id": "69695325-b61e-4351-bd9a-f66d46f9fbaa", "created_at": "2026-04-06T00:13:24.255384Z", "updated_at": "2026-04-10T13:13:01.163914Z", "deleted_at": null, "sha1_hash": "aa995fb10df4b96e1623dc92461ef0d1fd5aaf8d", "title": "BlankBot - a new Android banking trojan with screen recording, keylogging and remote control capabilities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74501, "plain_text": "BlankBot - a new Android banking trojan with screen recording,\r\nkeylogging and remote control capabilities\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 14:32:51 UTC\r\nKey Points:\r\nIn July 2024, Intel 471 Malware Intelligence researchers discovered the new BlankBot Android banking\r\ntrojan.\r\nBased on the application names and certain strings found within the application, it is highly likely\r\nBlankBot’s primary targets are Turkish users.\r\nBlankBot features a range of malicious capabilities, which include customer injections, keylogging, screen\r\nrecording and it communicates with a control server over a WebSocket connection.\r\nAt the time of this report, most samples remain largely undetected by the majority of antivirus software,\r\naccording to VirusTotal service.\r\nThe malware apparently still is under development, as indicated by the presence of logs and code variants.\r\nOverview\r\nOn July 24, 2024, Intel 471 Malware Intelligence researchers discovered malicious Android samples that\r\nimpersonated utility applications which could not be attributed to any known existing malware family (see: Figure\r\n1). We named it BlankBot since there was no reference via open sources at the time of this report.\r\nThe first BlankBot samples were from the end of June 2024 and almost all were undetected by most antivirus\r\nsoftware.\r\n[Image: Blank Bot image7 - Figure 1: The image depicts a screenshot of Android package kit (APK) icons\r\nBlankBot malware used, which we captured July 29, 2024.]\r\nLike many other Android banking trojans, BlankBot also abuses accessibility services to obtain complete control\r\nof infected devices. In particular, the malware is able to log everything that appears on the infected device,\r\nincluding short message service (SMS) text, sensitive information and a list of applications used. The malware\r\nalso is able to conduct custom injections used to steal bank information, such as payment card data and a lock\r\npattern for the device.\r\nCommunications between BlankBot and a controller start with a “GET” request where the hypertext transfer\r\nprotocol (HTTP) headers include information about the infected device, such as the battery level, screen size,\r\nmodel, manufacturer and operating system (OS) version. The malware uses port 8080 via a WebSocket connection\r\nfor subsequent controller communication.\r\nhttps://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities\r\nPage 1 of 7\n\nAt this early stage, application names and certain strings found within the application suggest it is likely the\r\nprimary BlankBot targets are Turkish users. However, no specific financial institutions were identified as targets\r\nduring our analysis, therefore, this malware could be distributed in campaigns against users in different countries.\r\nTechnical analysis\r\nThe malicious app is installed, the icon is not displayed on the device launcher and the user is prompted to grant\r\naccessibility permissions accompanied by an explanation message (see: Figure 2):\r\n“Welcome! App needs Accessibility permission to run properly. Please give accessibility permission!”\r\n[Image: Blank Bot image2 - Figure 2: The image depicts a screenshot of the BlankBot installation process, which\r\nwe captured July 29, 2024.]\r\nThe malware subsequently initiates communication with the control server by sending an HTTP “GET” request to\r\nthe controller and switches to the WebSocket network connection protocol.\r\nOnce the accessibility service access is granted, BlankBot displays a black screen to the user, which indicates that\r\nthe app is updating. However, the malware automatically obtains all necessary permissions in the background\r\n(see: Figure 3).\r\n[Image: Blank Bot image3 - Figure 3: The image depicts a screenshot of a fake update screen and permissions\r\nBlankBot obtained automatically, which we captured July 29, 2024.]\r\nIf the malware is installed on a device with Android 13 or newer, BlankBot implements a session-based package\r\ninstaller to bypass the restricted settings feature implemented in Android 13. The bot asks the victim to allow\r\ninstalling applications from the third-party sources, then it retrieves the Android package kit (APK) file stored\r\ninside the application assets directory with no encryption and proceeds with the package installation process (see:\r\nFigure 4).\r\n[Image: Blank Bot image10 - Figure 4: The image depicts a screenshot of the BlankBot payload installation phase\r\nvia Android 13, which we captured July 29, 2024.]\r\nCapabilities\r\nScreen recording\r\nThe malware can perform screen recording using Android's MediaProjection and MediaRecorder application\r\nprogramming interfaces (APIs). BlankBot is able to capture a video of the device screen via the MediaProjection\r\nAPI and the content is saved as a moving pictures experts group (MP4) file within the application's internal\r\nstorage. However, this feature apparently still is under development since the implementation changes in different\r\nsamples.\r\nBlankBot uses the MediaRecorder API to capture screen images after specifying the height and width of the\r\ninfected device, the image format and the maximum number of images to be acquired. The joint photographic\r\nexperts group (JPEG) images captured are Base64 encoded and sent to the remote server (see: Figure 5).\r\nhttps://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities\r\nPage 2 of 7\n\n[Image: Blank Bot image5 - Figure 5: The image depicts a screenshot of malware code used to exfiltrate captured\r\nscreen images, which we captured July 30, 2024.]\r\nKeylogging\r\nLike many other Android banking trojans, the use of accessibility services plays a key role in intercepting and\r\nstealing confidential information. BlankBot also abuses accessibility to retrieve data from the infected devices,\r\nsuch as a list of applications used, notifications, text the user types and other sensitive information that appears on\r\nthe screen or the victim copies and pastes.\r\n[Image: Blank Bot image9]\r\nHowever, BlankBot uses a unique custom virtual keyboard implemented via the “InputMethodService” class that\r\nAndroid provides, unlike most other malware. The primary purpose of this code is to intercept and send keys the\r\nuser presses on the keyboard.\r\n[Image: Blank Bot image6 - Figure 7: The image depicts a screenshot of a malware code snippet used to send\r\nintercepted keyboard keystrokes to the controller, which we captured July 29, 2024.]\r\nInjections\r\nUpon a specific command received from the command-and-control (C2) server, the bot is able to create a\r\ncustomizable overlay based on the threat actors’ needs. The overlay could be abused to ask for banking\r\ncredentials, personal information, payment card data or to steal the lock pattern. The malware developers included\r\ntwo external, open source libraries to implement the custom injection templates, specifically:\r\nThe CompactCreditInput library at https://github.com/10bis/CompactCreditInput is used to create a view to\r\nsteal payment card data, automatically validate data and manage the card type logo based on the number\r\nentered.\r\nThe Pattern Locker View library at https://github.com/l7naive/pattern-lock is used to create a pattern lock\r\nview.\r\nWe simulated the control server functionality to trigger and test a wide variety of BlankBot capabilities, which\r\ninclude overlays. We issued a command to create three different views customized with the ING bank logo and\r\nuser interface (UI) text elements displayed (see: Figure 8). Any user input was logged and promptly exfiltrated to\r\nthe control server.\r\n[Image: Blank Bot image4 - Figure 8: The image depicts a screenshot of customized overlays that our Malware\r\nIntelligence Team generated, which we captured July 30, 2024.]\r\nCommands\r\nBlankBot communicates with the C2 server over a WebSocket connection to exfiltrate data and receive a wide\r\nrange of bot commands. Specifically, the botmaster is able to start and stop screen recording to receive a live view\r\nof the infected device display. For applications that implement a “FLAG_SECURE” security measure to prevent\r\nsensitive data leak, the botmaster can leverage a hidden virtual network (HVNC) module to exfiltrate the layout of\r\nhttps://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities\r\nPage 3 of 7\n\nUI elements by abusing the accessibility services. Threat actors are able to perform on-device fraud (ODF) by\r\nwaking up and controlling the device remotely with different types of supported gestures, such as clicks or swipes.\r\nAdditionally, BlankBot is capable of creating overlays, as described in the previous section, as well as collecting\r\ncontacts, SMS text and a list of installed applications. The commands supported by the bot were described in the\r\ntable below.\r\nCommand ID Description\r\n-3 Stop HVNC module\r\n-1 Stop screen recording\r\n1 Start screen recording\r\n2 Perform a gesture\r\n3 Start HVNC module\r\n11 Create an overlay with message\r\n12 Request a permission or change device settings\r\n13 Collect SMS text\r\n15 Collect contacts\r\n16 Send text message\r\n18 Wake up device\r\n20 Collect installed applications\r\n22 Create an overlay with edit text or pattern\r\n24 Delete an SMS text\r\n25 Uninstall an application\r\n26 Launch an application\r\n27 Create an overlay for payment card data\r\nDefense evasion\r\nThe malware is installed on a device and checks to determine whether it is an emulator. If the infected device is\r\nconsidered legitimate, it attempts to maintain persistence by preventing the user from performing a variety of\r\nactions, such as accessing the settings or antivirus applications. This is achieved using the accessibility services\r\nwhich monitor all events on the infected device and certain words that appear on the device screen (see: Figure 9).\r\nhttps://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities\r\nPage 4 of 7\n\n[Image: Blank Bot image8 - Figure 9: The image depicts malware code BlankBot uses to maintain persistence on\r\nan infected device, which we captured July 29, 2024.]\r\nRecent BlankBot samples were partially obfuscated and junk code was added to slow down the reverse-code\r\nengineering process, which makes it significantly more challenging for security researchers to analyze the code\r\nand understand the malware’s behavior.\r\n[Image: Blank Bot image1 - Figure 10: The image depicts a screenshot of the same malware code BlankBot\r\nimplemented in two different variants, which we captured July 29, 2024.]\r\nConclusions\r\nBlankBot is a new Android banking trojan still under development, as evidenced by the multiple code variants\r\nobserved in different applications. Regardless, the malware can perform malicious actions once it infects an\r\nAndroid device, which include conducting custom injection attacks, ODF or stealing sensitive data such as\r\ncredentials, contacts, notifications and SMS messages.\r\nThis research aims to demonstrate how the mobile threat landscape continually evolves and how cybercriminals\r\ncontinue to create new types of malware to stay under the radar until receiving media attention or interest from\r\nmost antivirus companies.\r\nIndicators of compromise (IoCs)\r\nBlankBot APK SHA-256\r\n7d5b6bcc9b93aedc540e76059ee27841a96acb9ea74a51545dfef18b0fcf5b57\r\n6fc672288e68146930b86c7a3d490f551c8d7a7e8ba3229d64a6280118095bea\r\nad9044d9762453e2813be8ab96b9011efb2f42ab72a0cb26d7f98b9bd1d65965\r\nb4b4b195e14e9fda5a6d890ddb57f93ef81d6d9a976078354450ee45d18c89e3\r\n8d6ca64e4c3c19587405e19d53d0e2f4d52b77f927621d4178a3f7c2bf50c2ea\r\nd163cc15a39fb36391bd67f6eaada6691f0c7bc75fc80282a4a258244163e12a\r\n6681b0613fc6d5a3e1132f7499380eb9db52b03ab429f0c2109a641c9a2ea4d3\r\n11751c6aa3e5c44c92765876bc9cd46da90f466b9924b9b1993fa1c91157681d\r\nfc5099e5be818f8268327aaf190cd07b4b4ebb04e9d63eefa5a04ea504f93d62\r\nBlankBot control servers\r\n79.133.41.52\r\n185.255.92.185\r\nMITRE ATT\u0026CK\r\nMITRE ATT\u0026CK techniques\r\nTECHNIQUE TITLE ID USE\r\nhttps://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities\r\nPage 5 of 7\n\nCollection [TA0035]\r\nClipboard Data T1414\r\nWrites data in the user's clipboard when a specific command is\r\nreceived from the control server\r\nKeylogging T1417.001 Logs keystrokes by abusing the accessibility API\r\nScreen Capture T1513\r\nRecords screen content using the MediaProjection and\r\nMediaRecorder APIs\r\nContact List T1636.003 Collects and exfiltrates the device's contact list\r\nSMS Messages T1636.004 Collects and exfiltrates SMS text from the device\r\nCredential Access [TA0031]\r\nGUI Input Capture T1417.002 Creates overlays to steal payment card data and pattern lock\r\nDiscovery [TA0032]\r\nSoftware Discovery T1418\r\nRetrieves a list of installed applications and exfiltrates it to the\r\ncontroller\r\nSystem Information\r\nDiscovery\r\nT1426\r\nCollects device information such as manufacturer, model,\r\noperating system version, battery level and screen size\r\nCommand and Control\r\n[TA0037]\r\nNon-Standard Port T1509\r\nCommunicates with the control server over a WebSocket\r\nconnection on port number 8080\r\nImpact [TA0034]\r\nInput Injection T1516\r\nAbuses accessibility services to perform arbitrary actions on\r\nbehalf of the user\r\nSMS Control T1582 Sends an SMS text to a specified phone number\r\nPersistence [TA0028]\r\nBroadcast Receivers T1624.001\r\nRegisters the “BOOT_COMPLETED” broadcast intent to run\r\nwhen the device boots\r\nPrivilege Escalation\r\n[TA0029]\r\nDevice Administrator\r\nPermissions\r\nT1626.001\r\nAsks for device administrator privileges following a specific\r\ncommand\r\nhttps://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities\r\nPage 6 of 7\n\nDefense Evasion [TA0030]\r\nSuppress Application Icon T1628.001 Hides the icon from the application launcher\r\nPrevent Application\r\nRemoval\r\nT1629.001\r\nAbuses accessibility services to prevent the user from\r\nuninstalling the malware application\r\nUninstall Malicious\r\nApplication\r\nT1630.001\r\nUninstalls the malware application from the infected device\r\nafter a specific command\r\nVirtualization/Sandbox\r\nEvasion\r\nT1633\r\nPerforms anti-emulation checks to avoid running in a sandbox\r\nenvironment\r\nExfiltration [TA0036]\r\nExfiltration Over Alternative\r\nProtocol\r\nT1639\r\nExfiltrates collected data via a WebSocket network\r\ncommunication protocol\r\nSource: https://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities\r\nhttps://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities" ], "report_names": [ "blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities" ], "threat_actors": [], "ts_created_at": 1775434404, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa995fb10df4b96e1623dc92461ef0d1fd5aaf8d.pdf", "text": "https://archive.orkl.eu/aa995fb10df4b96e1623dc92461ef0d1fd5aaf8d.txt", "img": "https://archive.orkl.eu/aa995fb10df4b96e1623dc92461ef0d1fd5aaf8d.jpg" } }