EventBot - New Android malware targets banks, financial services across Europe

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
A new form of Android mobile malware has emerged in the threat landscape with its eye on consumer and business financial data.

On Thursday, the Cybereason Nocturnus team said that EventBot appeared in March and combines a Trojan and information stealer capable of exfiltrating user financial application data, as well as conducting covert spying on victims.

EventBot targets over 200 mobile financial and cryptocurrency applications, including those offered by PayPal, Barclays, CapitalOne UK, Coinbase, TransferWise, and Revolut. Financial and banking services across Europe and the United States are specifically targeted.
Currently, the majority of targeted institutions are in Italy, the UK, Germany, and France.

The malware appears to still be under active development, with indicators including version numbers 0.0.0.1, 0.0.0.2, and 0.3.0.1, as well as IDs named with "test" in the codebase.

EventBot abuses Android's accessibility features to compromise devices. After being downloaded -- which researchers believe will likely through rogue APK stores upon formal release, unless an operator is able to smuggle it past Google Play security -- the malware, masquerading as a legitimate application, first asks for a set of permissions.

The permissions requested includes access to accessibility features, package installation controls, the ability to open network sockets, to read from external storage, and the option to run in the background, among others.

If a victim accepts the requests, the malware can "operate as a keylogger and can retrieve notifications about other installed applications and content of open windows," the researchers say, and will automatically download and update a configuration file containing the financial app target list.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Here are a few points you need to keep in mind about Eventbot

1. These malware have icons similar to legitimate applications like Microsoft world, Adobe Flash Player, etc. making it hard for one to identify the malware

2. At launch, these malware seek permission to enable accessibility service

3. It takes installed application info, device info and sends it to a C&C server

4. These malware have the functionality of stealing SMS, accessing screen lock pin, etc

5. It has evolved in 4 versions so far. Older versions use simple packagename “com.example.eventbot” but the latest versions use complicated package names

Till now Eventbot has infected over 200 different financial applications, like Paypal Business, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Paysafecard, and many more.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
How can you stay protected from Eventbot malware

Be extremely cautious of what apps you download on your phone. Refrain from downloading apps that look suspicious or asks too many information details at the time of installing. Always download apps from legitimate sources like Play Store or App Store.


For enhanced protection of your phone from malware like Eventbot or other similar threats, always use a good antivirus on your phone like Quick Heal Mobile Security for Android.

It will protect your phone from any such vulnerability and will guard you against downloading malicious apps on your phone
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top