Researchers uncovered a new wave of stealthy banking Trojan and info stealer dubbed “EventBot” that can steal banking information, personal data and implant keystrokes on victims’ Android devices.
The Malware primarily abusing the Android’s Accessibility feature and steal the financial apps data, SMS messages and read the incoming SMS to bypass the 2FA.
EventBot targets a wide range of victims including 200 different financial Apps in various categories including banking, money transfer services, and cryptocurrency wallets.
The specifically targeted applications are Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, Paysafecard, and many more which is used by tens of millions of Android users.
Once these apps are compromised, the EventBot Trojan will gain a wide range of access to the personal and business data which is holding by around 60% of Android devices.
It targeted the banking apps in specific countries inducing the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany.
The malware is completely brand new and possibly become a big mobile malware in 2020, also the malware authors have developed the variant with a variety of feature with sophisticated functionalities.
EventBot Infection Process
In the initial stage of the attack, Attackers masquerade the malware as a legitimate application with several Icons and uploaded into the rogue APK stores and other shady websites.
Researchers observed a different version of EventBot malware (0.0.0.1, 0.0.0.2, and 0.3.0.1 and 0.4.0.1) and the each version has different bots functionality.
Once the malicious module got installed, it requests a following permission in the victim’s devices.
- SYSTEM_ALERT_WINDOW – allow the app to create windows that are shown on top of other apps.
- READ_EXTERNAL_STORAGE – read from external storage.
- REQUEST_INSTALL_PACKAGES – make a request to install packages.
- INTERNET – open network sockets.
- REQUEST_IGNORE_BATTERY_OPTIMIZATIONS – whitelist the app to allow it to ignore battery optimizations.
- WAKE_LOCK – prevent the processor from sleeping and dimming the screen.
- ACCESS_NETWORK_STATE – allow the app to access information about networks.
- REQUEST_COMPANION_RUN_IN_BACKGROUND – let the app run in the background.
- REQUEST_COMPANION_USE_DATA_IN_BACKGROUND – let the app use data in the background.
- RECEIVE_BOOT_COMPLETED – allow the application to launch itself after system boot. EventBot uses this permission in order to achieve persistence and run in the background as a service.
- RECEIVE_SMS – allow the application to receive text messages.
- READ_SMS – allow the application to read text messages.
Later it prompts users to grant permission to the accessibility services. once it gained the access, the malware has gained an ability to operate as a keylogger and access the notification about the other installed apps.
Also it requesting permission for running the in the background to the most updated version of the Android.
According to Cybereason Research report “This version includes 185 different applications, including official applications of worldwide banks. 26 of the targeted applications are from Italy, 25 are from the UK, 6 are from Germany, 5 are from France, and 3 are from Spain.”
Data Gathering List
- Getting a list of all installed applications: Once EventBot is installed on the target machine, it lists all the applications on the target machine and sends them to the C2.
- Device information: EventBot queries for device information like OS, model, etc, and also sends that to the C2.
- Data encryption: In the initial version of EventBot, the data being exfiltrated is encrypted using Base64 and RC4.
- SMS grabbing: EventBot has the ability to parse SMS messages by using the targeted device’s SDK version to parse them correctly.
Every version has its unique features to steal financial information, is able to hijack transactions, and also collecting the personal data, passwords, keystrokes, banking information.
Mitigation suggested by Experts
- Keep your mobile device up-to-date with the latest software updates from legitimate sources.
- Keep Google Play Protect on.
- Do not download mobile apps from unofficial or unauthorized sources. Most legitimate Android apps are available on the Google Play Store.
- Always apply critical thinking and consider whether you should give a certain app the permissions it requests.
- When in doubt, check the APK signature and hash in sources like VirusTotal before installing it on your device.
- Use mobile threat detection solutions for enhanced security.