A new form of Android mobile malware has emerged in the threat landscape with its eye on consumer and business financial data.
On Thursday, the Cybereason Nocturnus team said that EventBot appeared in March and combines a Trojan and information stealer capable of exfiltrating user financial application data, as well as conducting covert spying on victims.
EventBot targets over 200 mobile financial and cryptocurrency applications, including those offered by PayPal, Barclays, CapitalOne UK, Coinbase, TransferWise, and Revolut. Financial and banking services across Europe and the United States are specifically targeted.
Currently, the majority of targeted institutions are in Italy, the UK, Germany, and France.
The malware appears to still be under active development, with indicators including version numbers 0.0.0.1, 0.0.0.2, and 0.3.0.1, as well as IDs named with "test" in the codebase.
EventBot abuses Android's accessibility features to compromise devices. After being downloaded -- which researchers believe will likely through rogue APK stores upon formal release, unless an operator is able to smuggle it past Google Play security -- the malware, masquerading as a legitimate application, first asks for a set of permissions.
The permissions requested includes access to accessibility features, package installation controls, the ability to open network sockets, to read from external storage, and the option to run in the background, among others.
If a victim accepts the requests, the malware can "operate as a keylogger and can retrieve notifications about other installed applications and content of open windows," the researchers say, and will automatically download and update a configuration file containing the financial app target list.