A recent report from a threat intelligence firm has uncovered a new malicious Android program that seems to be specifically targeting Turkish-language speakers. This program, known as BlankBot, is designed to steal sensitive information by capturing keystrokes, taking screen grabs, and creating custom overlays that mimic legitimate websites to deceive users.
According to the report published by cyberthreat-intelligence firm Intel 471 on August 1, BlankBot is still in active development, as evidenced by the significant number of code variants and log files associated with the malware. Despite this ongoing development, the program has managed to evade detection by most anti-malware scanners hosted on platforms like VirusTotal.
The developers behind BlankBot appear to be experienced Android application developers with a deep understanding of account takeover (ATO) operations. By using openly available libraries, the malware operators can create highly realistic phishing pages that closely imitate genuine financial applications, making it more likely for unsuspecting users to fall victim to their schemes.
Although the motive behind the targeting of Turkish-language speakers remains unclear, Turkey has increasingly become a focal point for cyberattacks in recent years. Various threat actors, including nation-state espionage groups like India’s SideWinder and China’s APT41, have been actively targeting individuals and industries in Turkey, adding to the growing cybersecurity challenges faced by the country.
In response to these threats, Turkey has been ramping up its own cyber capabilities, with groups linked to the country engaging in cyber espionage activities against Kurdish opposition groups in Europe, the Middle East, and North Africa. Additionally, another cybercriminal group based in Turkey has been targeting corporate databases in the United States, Europe, and Latin America using ransomware attacks.
As for the BlankBot malware itself, it possesses a range of sophisticated features that enable it to carry out its malicious activities. By leveraging Android’s accessibility features, the malware can take control of devices to record screens, capture keystrokes, and create realistic overlays for harvesting sensitive credentials such as usernames, passwords, and credit card information.
Moreover, BlankBot has the capability to control certain device features through spoofing finger swipes, allowing threat actors to execute on-device fraud remotely. Despite the presence of anti-analysis capabilities and Turkish language strings in the code, the malware could potentially be localized to target users in other countries and institutions, expanding its reach beyond its current scope.
Overall, the emergence of BlankBot underscores the growing threat of cybercrime targeting Turkish-language speakers and highlights the need for heightened cybersecurity measures to counter these malicious activities. With cyber threats evolving rapidly, it is crucial for individuals and organizations to stay vigilant and adopt robust security practices to safeguard against the ever-present risks posed by malware and other forms of cyberattacks.