BlankBot¶
BlankBot is an Android banking trojan discovered by Intel 471 on July 24, 2024, primarily targeting Turkish users with screen recording, keylogging via a custom virtual keyboard, and customizable overlay injections. The malware was still under active development when Intel 471 published their analysis, evidenced by multiple code variants across samples, extensive logging, and unfinished functionality. BlankBot uses a session-based package installer to bypass Android 13 restrictions on sideloaded app permissions, a technique also observed in Mandrake, and communicates with its C2 over WebSocket for real-time command execution.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | Late June 2024 (earliest samples) |
| Status | Active, under development |
| Type | Banking trojan |
| Aliases | None known |
| Attribution | Unknown |
| Distribution | Fake utility applications |
Origin and Lineage¶
Intel 471 Malware Intelligence researchers identified BlankBot on July 24, 2024, when analyzing Android samples disguised as utility applications that could not be attributed to any known malware family. The earliest samples dated to late June 2024, and almost all were undetected by antivirus engines on VirusTotal at the time of discovery.
The code showed clear signs of active, ongoing development. Intel 471 observed significant variation between samples, with different code paths, logging output, and partially implemented features across builds. This pattern indicated a developer or team iterating rapidly on the codebase rather than maintaining a stable, production-ready product. Despite the unfinished state, the functional capabilities already present (screen recording, keylogging, overlays, remote control) made BlankBot operationally viable against targets.
Zimperium subsequently analyzed BlankBot and confirmed that the trojan could not evade on-device machine learning protections, suggesting that its evasion capabilities lagged behind its operational features during the early development phase.
Distribution¶
| Vector | Details |
|---|---|
| Fake utility apps | Samples disguised as utility applications with Turkish-language names and strings |
BlankBot distribution relies on impersonating utility applications. Based on application names and embedded strings, Intel 471 assessed that the primary targets were Turkish Android users. The specific delivery mechanism (phishing, malvertising, or third-party app stores) was not detailed in the initial reporting, though the trojan's reliance on sideloading aligns with common distribution through SMS phishing or malicious websites.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Custom keyboard keylogging | Deploys its own virtual keyboard via InputMethodService to capture all keystrokes |
| Screen recording | Uses MediaProjection and MediaRecorder APIs to capture screen content as Base64-encoded JPEG images |
| Custom overlay injections | Creates tailored overlay windows over legitimate apps to steal banking credentials, card data, and personal information |
| SMS interception | Reads and exfiltrates SMS messages from the device |
| Contact list harvesting | Collects the victim's contact database |
| App inventory | Enumerates all installed applications on the device |
| App management | Can uninstall arbitrary applications or launch specific apps |
| Remote gestures | Executes taps, swipes, and navigation commands on the device |
Custom Keyboard Keylogging¶
BlankBot's most distinctive feature is its custom virtual keyboard for keystroke capture. Rather than relying solely on accessibility service event monitoring (the standard approach for most Android banking trojans), BlankBot implements its own InputMethodService that replaces the device's keyboard. This approach parallels the technique used by Frogblight, which also implements a custom InputMethodService for keylogging. By controlling the keyboard itself, BlankBot captures every character the victim types regardless of which application is active, bypassing protections that some banking apps implement to detect accessibility-based keyloggers.
Screen Recording¶
BlankBot leverages Android's MediaProjection API to initiate screen capture and the MediaRecorder API to record the output. Captured screen content is encoded as Base64 JPEG images and transmitted to the C2 server. This provides operators with visual confirmation of victim activity, overlay effectiveness, and any on-screen data that keylogging alone would not capture (such as autofilled credentials or biometric prompts).
Custom Overlay Injections¶
The trojan creates customizable overlay windows that render on top of legitimate banking and financial applications. These overlays present fake input fields designed to mimic the target application's login or payment interface, soliciting banking credentials, payment card details, and personal information. The overlays are served from the C2, allowing operators to update phishing templates without pushing new malware builds to infected devices.
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Remote gesture execution, overlay triggering, UI monitoring |
| SYSTEM_ALERT_WINDOW | Custom overlay windows for credential theft |
| READ_SMS | SMS message exfiltration |
| RECEIVE_SMS | Real-time SMS interception for OTP theft |
| READ_CONTACTS | Contact list harvesting |
| READ_PHONE_STATE | Device fingerprinting |
| QUERY_ALL_PACKAGES | Enumerate all installed applications |
| REQUEST_INSTALL_PACKAGES | Session-based package installer for payload deployment |
| REQUEST_DELETE_PACKAGES | Uninstall arbitrary applications |
| INTERNET | HTTP and WebSocket C2 communication |
| FOREGROUND_SERVICE | Persistent background operation |
| RECEIVE_BOOT_COMPLETED | Restart after device reboot |
| WAKE_LOCK | Keep device active during screen recording and remote control |
Technical Details¶
Android 13 Restriction Bypass¶
BlankBot uses a session-based package installer to circumvent restrictions introduced in Android 13 that prevent sideloaded applications from requesting dangerous permissions (particularly accessibility service access). The malware first prompts the victim to allow installation from third-party sources, then retrieves an unencrypted APK from its assets directory and initiates installation through the session-based installer API. This technique, also employed by Mandrake, exploits the fact that session-based installations are treated differently by Android's permission framework than standard sideloaded installs.
C2 Communication¶
BlankBot establishes initial contact with its C2 server by sending device information in an HTTP GET request. After this handshake, communication switches to the WebSocket protocol for persistent, bidirectional messaging. Bot commands received over WebSocket control all major functions: starting and stopping screen recording, executing gestures, creating overlay windows, collecting device data, and managing applications on the device.
Development Indicators¶
Intel 471's analysis noted several indicators of active development across BlankBot samples:
- Multiple code variants with divergent implementations of the same features
- Extensive debug logging left in production builds
- Partially implemented functionality alongside fully operational modules
- Variation in obfuscation levels between samples
C2 Infrastructure¶
| Component | Details |
|---|---|
| Initial handshake | HTTP GET request with device information |
| Persistent channel | WebSocket protocol for bidirectional command and control |
| Screen data format | Base64-encoded JPEG images transmitted over WebSocket |
| Command delivery | WebSocket messages for screen recording control, gesture execution, overlay management, data collection |
| Overlay templates | Served from C2, allowing remote updates without new APK builds |
Target Regions¶
| Period | Primary Targets |
|---|---|
| June-July 2024 | Turkish Android users |
Application names, UI strings, and embedded language resources all point to Turkish users as the primary targets. The trojan's overlay injection framework is generic enough to target applications in any region, and given BlankBot's active development trajectory, expansion beyond Turkey is a natural progression.
Notable Campaigns¶
July 2024: Intel 471 disclosed BlankBot after discovering multiple samples disguised as utility applications targeting Turkish users. The trojan was under active development with multiple code variants, but already featured functional screen recording, custom keyboard keylogging, overlay injections, and WebSocket-based remote control. Nearly all samples were undetected by antivirus scanners at the time of discovery.
August 2024: Zimperium published a supplementary analysis confirming BlankBot's capabilities and noting that the trojan could not evade on-device machine learning detection, providing a detection advantage for devices with ML-based security solutions deployed.
Related Families¶
| Family | Relationship |
|---|---|
| Frogblight | Both implement custom InputMethodService keyboards for keylogging rather than relying solely on accessibility event monitoring. Frogblight is also a Turkish-focused banking trojan. |
| Mandrake | Both use session-based package installation to bypass Android 13 sideloading restrictions on dangerous permissions. |
| Antidot | Both use WebSocket for C2 communication and combine overlay attacks with remote device control, though Antidot adds VNC-based screen streaming rather than screen recording. |
| Brokewell | Both were under rapid, active development when first discovered, with near-daily capability additions. Both combine screen capture with remote control. |
| Crocodilus | Both bypass Android 13+ restrictions on sideloaded app permissions, though through different mechanisms. |
Detection¶
| Indicator Type | Details |
|---|---|
| Custom keyboard | App registering an InputMethodService without being a legitimate keyboard application |
| MediaProjection abuse | Screen capture permissions requested by a utility app |
| Session-based installation | Use of PackageInstaller.Session API to bypass Android 13 sideloading restrictions |
| WebSocket traffic | Persistent WebSocket connections to unknown servers from a utility app |
| Debug logging | Excessive Log calls in production builds (early samples) |
| Turkish-language resources | Application names and strings in Turkish |