Saturday, December 2, 2023

New Android Malware “EventBot” Steals Bank Credentials, SMS, Collect Personal Data, keystrokes

Researchers uncovered a new wave of stealthy banking Trojan and info stealer dubbed “EventBot” that can steal banking information, personal data and implant keystrokes on victims’ Android devices.

The Malware primarily abusing the Android’s Accessibility feature and steal the financial apps data, SMS messages and read the incoming SMS to bypass the 2FA.

EventBot targets a wide range of victims including 200 different financial Apps in various categories including banking, money transfer services, and cryptocurrency wallets.

The specifically targeted applications are  Paypal Business, Revolut,  Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK,  TransferWise,  Coinbase, Paysafecard, and many more which is used by tens of millions of  Android users.

Applications targeted by EventBot

Once these apps are compromised, the EventBot Trojan will gain a wide range of access to the personal and business data which is holding by around 60% of Android devices.

It targeted the banking apps in specific countries inducing the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany.

The malware is completely brand new and possibly become a big mobile malware in 2020, also the malware authors have developed the variant with a variety of feature with sophisticated functionalities.

EventBot Infection Process

In the initial stage of the attack, Attackers masquerade the malware as a legitimate application with several Icons and uploaded into the rogue APK stores and other shady websites.

Icons used for EventBot masqueraded as legitimate with these icons.application.

Researchers observed a different version of EventBot malware (,, and and and the each version has different bots functionality.

Once the malicious module got installed, it requests a following permission in the victim’s devices.

  • SYSTEM_ALERT_WINDOW – allow the app to create windows that are shown on top of other apps.
  • READ_EXTERNAL_STORAGE – read from external storage.
  • REQUEST_INSTALL_PACKAGES – make a request to install packages.
  • INTERNET – open network sockets.
  • REQUEST_IGNORE_BATTERY_OPTIMIZATIONS – whitelist the app to allow it to ignore battery optimizations.
  • WAKE_LOCK – prevent the processor from sleeping and dimming the screen.
  • ACCESS_NETWORK_STATE – allow the app to access information about networks.
  • REQUEST_COMPANION_RUN_IN_BACKGROUND – let the app run in the background.
  • REQUEST_COMPANION_USE_DATA_IN_BACKGROUND – let the app use data in the background.
  • RECEIVE_BOOT_COMPLETED – allow the application to launch itself after system boot. EventBot uses this permission in order to achieve persistence and run in the background as a service.
  • RECEIVE_SMS – allow the application to receive text messages.
  • READ_SMS – allow the application to read text messages.

Later it prompts users to grant permission to the accessibility services. once it gained the access, the malware has gained an ability to operate as a keylogger and access the notification about the other installed apps.


Also it requesting permission for running the in the background to the most updated version of the Android.

According to Cybereason Research report “This version includes 185 different applications, including official applications of worldwide banks. 26 of the targeted applications are from Italy, 25 are from the UK, 6 are from Germany, 5 are from France, and 3 are from Spain.”

Data Gathering List

  • Getting a list of all installed applications: Once EventBot is installed on the target machine, it lists all the applications on the target machine and sends them to the C2. 
  • Device information: EventBot queries for device information like OS, model, etc, and also sends that to the C2.
  • Data encryption: In the initial version of EventBot, the data being exfiltrated is encrypted using Base64 and RC4. 
  • SMS grabbing: EventBot has the ability to parse SMS messages by using the targeted device’s SDK version to parse them correctly.

Every version has its unique features to steal financial information, is able to hijack transactions, and also collecting the personal data, passwords, keystrokes, banking information.

Mitigation suggested by Experts

  • Keep your mobile device up-to-date with the latest software updates from legitimate sources.
  • Keep Google Play Protect on.
  • Do not download mobile apps from unofficial or unauthorized sources. Most legitimate Android apps are available on the Google Play Store. 
  • Always apply critical thinking and consider whether you should give a certain app the permissions it requests. 
  • When in doubt, check the APK signature and hash in sources like VirusTotal before installing it on your device. 
  • Use mobile threat detection solutions for enhanced security.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Hackers Spread Android Malware Via Coronavirus Safety App & Gain Contacts Access to Infect All of Them via SMS

Cookiethief – Android Malware that Gains Root Access to Steal Browser & Facebook App Cookies

Google Play Store Flooding with Spyware, Banking Trojan, Adware Via Games, and Utility Apps


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles