Monday, November 4, 2024
HomeAndroidNew Android Malware "EventBot" Steals Bank Credentials, SMS, Collect Personal Data, keystrokes

New Android Malware “EventBot” Steals Bank Credentials, SMS, Collect Personal Data, keystrokes

Published on

Malware protection

Researchers uncovered a new wave of stealthy banking Trojan and info stealer dubbed “EventBot” that can steal banking information, personal data and implant keystrokes on victims’ Android devices.

The Malware primarily abusing the Android’s Accessibility feature and steal the financial apps data, SMS messages and read the incoming SMS to bypass the 2FA.

EventBot targets a wide range of victims including 200 different financial Apps in various categories including banking, money transfer services, and cryptocurrency wallets.

- Advertisement - SIEM as a Service

The specifically targeted applications are  Paypal Business, Revolut,  Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK,  TransferWise,  Coinbase, Paysafecard, and many more which is used by tens of millions of  Android users.

EventBot
Applications targeted by EventBot

Once these apps are compromised, the EventBot Trojan will gain a wide range of access to the personal and business data which is holding by around 60% of Android devices.

It targeted the banking apps in specific countries inducing the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany.

The malware is completely brand new and possibly become a big mobile malware in 2020, also the malware authors have developed the variant with a variety of feature with sophisticated functionalities.

EventBot Infection Process

In the initial stage of the attack, Attackers masquerade the malware as a legitimate application with several Icons and uploaded into the rogue APK stores and other shady websites.

EventBot
Icons used for EventBot masqueraded as legitimate with these icons.application.

Researchers observed a different version of EventBot malware (0.0.0.1, 0.0.0.2, and 0.3.0.1 and 0.4.0.1) and the each version has different bots functionality.

Once the malicious module got installed, it requests a following permission in the victim’s devices.

  • SYSTEM_ALERT_WINDOW – allow the app to create windows that are shown on top of other apps.
  • READ_EXTERNAL_STORAGE – read from external storage.
  • REQUEST_INSTALL_PACKAGES – make a request to install packages.
  • INTERNET – open network sockets.
  • REQUEST_IGNORE_BATTERY_OPTIMIZATIONS – whitelist the app to allow it to ignore battery optimizations.
  • WAKE_LOCK – prevent the processor from sleeping and dimming the screen.
  • ACCESS_NETWORK_STATE – allow the app to access information about networks.
  • REQUEST_COMPANION_RUN_IN_BACKGROUND – let the app run in the background.
  • REQUEST_COMPANION_USE_DATA_IN_BACKGROUND – let the app use data in the background.
  • RECEIVE_BOOT_COMPLETED – allow the application to launch itself after system boot. EventBot uses this permission in order to achieve persistence and run in the background as a service.
  • RECEIVE_SMS – allow the application to receive text messages.
  • READ_SMS – allow the application to read text messages.

Later it prompts users to grant permission to the accessibility services. once it gained the access, the malware has gained an ability to operate as a keylogger and access the notification about the other installed apps.

EventBot

Also it requesting permission for running the in the background to the most updated version of the Android.

According to Cybereason Research report “This version includes 185 different applications, including official applications of worldwide banks. 26 of the targeted applications are from Italy, 25 are from the UK, 6 are from Germany, 5 are from France, and 3 are from Spain.”

Data Gathering List

  • Getting a list of all installed applications: Once EventBot is installed on the target machine, it lists all the applications on the target machine and sends them to the C2. 
  • Device information: EventBot queries for device information like OS, model, etc, and also sends that to the C2.
  • Data encryption: In the initial version of EventBot, the data being exfiltrated is encrypted using Base64 and RC4. 
  • SMS grabbing: EventBot has the ability to parse SMS messages by using the targeted device’s SDK version to parse them correctly.

Every version has its unique features to steal financial information, is able to hijack transactions, and also collecting the personal data, passwords, keystrokes, banking information.

Mitigation suggested by Experts

  • Keep your mobile device up-to-date with the latest software updates from legitimate sources.
  • Keep Google Play Protect on.
  • Do not download mobile apps from unofficial or unauthorized sources. Most legitimate Android apps are available on the Google Play Store. 
  • Always apply critical thinking and consider whether you should give a certain app the permissions it requests. 
  • When in doubt, check the APK signature and hash in sources like VirusTotal before installing it on your device. 
  • Use mobile threat detection solutions for enhanced security.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Also Read:

Hackers Spread Android Malware Via Coronavirus Safety App & Gain Contacts Access to Infect All of Them via SMS

Cookiethief – Android Malware that Gains Root Access to Steal Browser & Facebook App Cookies

Google Play Store Flooding with Spyware, Banking Trojan, Adware Via Games, and Utility Apps

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy...

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Researchers discovered a Russian-linked threat actor, UNC5812, utilizing a Telegram persona named "Civil Defense....

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...