Tuesday, May 28, 2024

New Android Malware “EventBot” Steals Bank Credentials, SMS, Collect Personal Data, keystrokes

Researchers uncovered a new wave of stealthy banking Trojan and info stealer dubbed “EventBot” that can steal banking information, personal data and implant keystrokes on victims’ Android devices.

The Malware primarily abusing the Android’s Accessibility feature and steal the financial apps data, SMS messages and read the incoming SMS to bypass the 2FA.

EventBot targets a wide range of victims including 200 different financial Apps in various categories including banking, money transfer services, and cryptocurrency wallets.

The specifically targeted applications are  Paypal Business, Revolut,  Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK,  TransferWise,  Coinbase, Paysafecard, and many more which is used by tens of millions of  Android users.

Applications targeted by EventBot

Once these apps are compromised, the EventBot Trojan will gain a wide range of access to the personal and business data which is holding by around 60% of Android devices.

It targeted the banking apps in specific countries inducing the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany.

The malware is completely brand new and possibly become a big mobile malware in 2020, also the malware authors have developed the variant with a variety of feature with sophisticated functionalities.

EventBot Infection Process

In the initial stage of the attack, Attackers masquerade the malware as a legitimate application with several Icons and uploaded into the rogue APK stores and other shady websites.

Icons used for EventBot masqueraded as legitimate with these icons.application.

Researchers observed a different version of EventBot malware (,, and and and the each version has different bots functionality.

Once the malicious module got installed, it requests a following permission in the victim’s devices.

  • SYSTEM_ALERT_WINDOW – allow the app to create windows that are shown on top of other apps.
  • READ_EXTERNAL_STORAGE – read from external storage.
  • REQUEST_INSTALL_PACKAGES – make a request to install packages.
  • INTERNET – open network sockets.
  • REQUEST_IGNORE_BATTERY_OPTIMIZATIONS – whitelist the app to allow it to ignore battery optimizations.
  • WAKE_LOCK – prevent the processor from sleeping and dimming the screen.
  • ACCESS_NETWORK_STATE – allow the app to access information about networks.
  • REQUEST_COMPANION_RUN_IN_BACKGROUND – let the app run in the background.
  • REQUEST_COMPANION_USE_DATA_IN_BACKGROUND – let the app use data in the background.
  • RECEIVE_BOOT_COMPLETED – allow the application to launch itself after system boot. EventBot uses this permission in order to achieve persistence and run in the background as a service.
  • RECEIVE_SMS – allow the application to receive text messages.
  • READ_SMS – allow the application to read text messages.

Later it prompts users to grant permission to the accessibility services. once it gained the access, the malware has gained an ability to operate as a keylogger and access the notification about the other installed apps.


Also it requesting permission for running the in the background to the most updated version of the Android.

According to Cybereason Research report “This version includes 185 different applications, including official applications of worldwide banks. 26 of the targeted applications are from Italy, 25 are from the UK, 6 are from Germany, 5 are from France, and 3 are from Spain.”

Data Gathering List

  • Getting a list of all installed applications: Once EventBot is installed on the target machine, it lists all the applications on the target machine and sends them to the C2. 
  • Device information: EventBot queries for device information like OS, model, etc, and also sends that to the C2.
  • Data encryption: In the initial version of EventBot, the data being exfiltrated is encrypted using Base64 and RC4. 
  • SMS grabbing: EventBot has the ability to parse SMS messages by using the targeted device’s SDK version to parse them correctly.

Every version has its unique features to steal financial information, is able to hijack transactions, and also collecting the personal data, passwords, keystrokes, banking information.

Mitigation suggested by Experts

  • Keep your mobile device up-to-date with the latest software updates from legitimate sources.
  • Keep Google Play Protect on.
  • Do not download mobile apps from unofficial or unauthorized sources. Most legitimate Android apps are available on the Google Play Store. 
  • Always apply critical thinking and consider whether you should give a certain app the permissions it requests. 
  • When in doubt, check the APK signature and hash in sources like VirusTotal before installing it on your device. 
  • Use mobile threat detection solutions for enhanced security.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Hackers Spread Android Malware Via Coronavirus Safety App & Gain Contacts Access to Infect All of Them via SMS

Cookiethief – Android Malware that Gains Root Access to Steal Browser & Facebook App Cookies

Google Play Store Flooding with Spyware, Banking Trojan, Adware Via Games, and Utility Apps


Latest articles

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME desktop manager was equipped with a new feature which allowed remote users to...

Kesakode: A Remote Hash Lookup Service To Identify Malware Samples

Today marks a significant milestone for Malcat users with the release of version 0.9.6,...

Cisco Firepower Vulnerability Let Attackers Launch SQL Injection Attacks

 A critical vulnerability has been identified in Cisco Firepower Management Center (FMC) Software's web-based...

Hackers Exploit WordPress Plugin to Steal Credit Card Data

Hackers have exploited an obscure WordPress plugin to inject malware into websites, specifically targeting...

Google Patches Chrome Zero-Day: Type Confusion in V8 JavaScript

Google has released a patch for a zero-day exploit in its Chrome browser.The...

Hackers Created Rogue VMs in Recent MITRE’s Cyber Attack

State-sponsored hackers recently exploited vulnerabilities in MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE).They...

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles