silversurfer

Level 62
Verified
Trusted
Content Creator
Malware Hunter
A new form of Android mobile malware has emerged in the threat landscape with its eye on consumer and business financial data.

On Thursday, the Cybereason Nocturnus team said that EventBot appeared in March and combines a Trojan and information stealer capable of exfiltrating user financial application data, as well as conducting covert spying on victims.

EventBot targets over 200 mobile financial and cryptocurrency applications, including those offered by PayPal, Barclays, CapitalOne UK, Coinbase, TransferWise, and Revolut. Financial and banking services across Europe and the United States are specifically targeted.
Currently, the majority of targeted institutions are in Italy, the UK, Germany, and France.

The malware appears to still be under active development, with indicators including version numbers 0.0.0.1, 0.0.0.2, and 0.3.0.1, as well as IDs named with "test" in the codebase.

EventBot abuses Android's accessibility features to compromise devices. After being downloaded -- which researchers believe will likely through rogue APK stores upon formal release, unless an operator is able to smuggle it past Google Play security -- the malware, masquerading as a legitimate application, first asks for a set of permissions.

The permissions requested includes access to accessibility features, package installation controls, the ability to open network sockets, to read from external storage, and the option to run in the background, among others.

If a victim accepts the requests, the malware can "operate as a keylogger and can retrieve notifications about other installed applications and content of open windows," the researchers say, and will automatically download and update a configuration file containing the financial app target list.
 

silversurfer

Level 62
Verified
Trusted
Content Creator
Malware Hunter
Here are a few points you need to keep in mind about Eventbot

1. These malware have icons similar to legitimate applications like Microsoft world, Adobe Flash Player, etc. making it hard for one to identify the malware

2. At launch, these malware seek permission to enable accessibility service

3. It takes installed application info, device info and sends it to a C&C server

4. These malware have the functionality of stealing SMS, accessing screen lock pin, etc

5. It has evolved in 4 versions so far. Older versions use simple packagename “com.example.eventbot” but the latest versions use complicated package names

Till now Eventbot has infected over 200 different financial applications, like Paypal Business, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Paysafecard, and many more.
 

Gandalf_The_Grey

Level 32
Verified
How can you stay protected from Eventbot malware

Be extremely cautious of what apps you download on your phone. Refrain from downloading apps that look suspicious or asks too many information details at the time of installing. Always download apps from legitimate sources like Play Store or App Store.


For enhanced protection of your phone from malware like Eventbot or other similar threats, always use a good antivirus on your phone like Quick Heal Mobile Security for Android.

It will protect your phone from any such vulnerability and will guard you against downloading malicious apps on your phone
 
Top