Facts To Know About Android EventBot Malware

12 May 2020

Facts To Know About Android EventBot Malware

EventBot is a mobile banking Trojan and infostealer that can abuse Android operating systems to steal financial data from user’s devices.

First discovered in March 2020 by Cybereason Nocturnus researchers, this Trojan has disturbed users from the United States and Europe, targeting over 200 financial apps, money transfer services, and crypto wallets. 

The full list of targeted applications includes applications like PayPal Business, Unicredit, Coinbase, Santander UK, Barclays, and many more. Luckily for Android users, Google Play Store does not distribute EventBot.

Instead, infostealer creators use special websites that offer you to download various APK-looking malware.

Who’s Standing Behind EventBot?

This mobile banking trojan is fairly new, and judging from the results of Cybereason Nocturnus research, it is still in the development stage.

This observation is based on the following information:

  1. No conversations about EventBot malware were identified within underground communities, where new malware is often promoted, offered as a giveaway, or sold.
  2. In the course of the investigation, Cybereason researchers discovered a potential link to an additional Android infostealer that was responsible for several attacks in Italy back in late 2019.
  3. The IP address VirusTotal scan connected this infostealer to another infostealer from the authors of FTcode, a ransomware that could steal saved user credentials from web browsers and email clients.

This malware is under constant development, as it adds more features with every new release. Dynamic library loading, automatic adjustment to device models and locales, package name randomization, and data encryption already make this malware a major threat.

With updates coming out at a consistent rate, we could see EventBot giving other Android Trojans a run for their money.

What Makes EventBot So Dangerous?

EventBot has been using logos that look a lot like Flash and Word ripoffs. 

After someone downloads Eventbot from an unofficial APK hosting website on their device and installs it, the malware will request a lot of permissions.

One of the most notable permissions gets EventBot access to Android’s accessibility services.  

The accessibility features that are being abused by EventBot are normally used to help users with disabilities perform gestures, write into the input field, and generate permissions. But in this case that access allows the malware to retrieve notifications about other installed apps and content of open windows, get information about device models, read SMS messages to steal one-time passcodes, which helps in bypassing two-factor authentications. 

If other requested permissions are granted, this malware will launch after system boot to maintain itself on the devices, will prevent the processor from sleeping and the screen from dimming, will ignore battery optimizations, will run in the background, and will read from external storage.

From that point on, it will collect sensitive user data and banking information, as well as obtaining passwords and keystrokes. Beyond the somewhat blatantly devious requests of EventBot during installation, the malware acts in a very covert manner afterwards.

"By accessing and stealing this data, Eventbot has the potential to access key business data, including financial data. Mobile malware is no laughing matter and it is a significant risk for organizations and consumers alike." - states Assaf Dahan, Senior Director, Head of Threat Research of Cybereason.

How Can You Avoid Picking Up EventBot?

To protect their mobile devices, users should improve their cybersecurity posture and cyber hygiene. 

This malware proves to be a significant threat not only to their personal financial situation of Android users, but also for businesses, as 60% of devices containing or accessing enterprise data are mobile.

Cybereason has drawn out its recommendations the following way:  

  • Update your device and its software through Google Play Store, never download any apps from unauthorized sources.
  • Keep Google Play Protect on.
  • Apply critical thinking to determine whether the app is requesting questionable permissions.

The original report written by Cybereason researchers provides us with an outlook on how the new malware evolves over time and how the threat actors are changing their inner workings.

Please be wary of downloading any apps from unofficial stores, and keep yourself safe both online and offline.

subscribe to our blog