Users of online retail banking, money transfer services and other financial services applications are warned to be on their guard against a new Android mobile banking trojan, dubbed EventBot, which is targeting users of more than 200 services across Europe and the US, including Barclays, CapitalOne, HSBC and Santander.
EventBot was first spotted in March this year and has been tracked extensively by researchers on Cybereason’s Nocturnus team. It abuses Android’s accessibility features in order to steal user data from applications, read SMS messages and steal SMS messages – the latter gives it the ability to bypass two-factor authentication.
Assaf Dahan, senior director and head of threat research at Cybereason, said there was every chance that EventBot could become the next big mobile malware threat, as it was clear its developers have invested time and effort to code a highly sophisticated and capable piece of software
“By accessing and stealing this data, EventBot has the potential to access key business data, including financial data,” said Dahan. “Mobile malware is no laughing matter and it is a significant risk for organisations and consumers alike.”
Dahan, who worked on the EventBot research alongside Daniel Frank, Lior Rochberger and Yaron Rimmer, said the trojan struck the team as particularly interesting because it had been spotted in the early stages of its lifecycle, and is currently undergoing frequent iterative improvements.
“This research gives a rare look into the process improvements malware authors make when optimising before launch,” he said. “By going on the offensive and hunting the attackers, our team was able to unearth the early stages of what may be a very dangerous mobile malware.”
The Nocturnus team has found four versions of the EventBot trojan as of the time of writing, versions 0.0.0.1, 0.0.0.2, 0.3.0.1 and 0.4.0.1, with each version expending its functionality and adding new features to obfuscate against analysis.
Like many other malware strains, EventBot tricks its victims into giving it access to Android’s accessibility feature. These features are designed principally to support disabled users and let legitimate apps automate certain functions, such as writing in input fields, auto-generating permissions, and performing gestures for the user.
However, in the case of malicious apps, accessibility services can be exploited to enable more nefarious functions – in EventBot’s case, it acquires the ability to operate as a keylogger and can retrieve device notifications about other installed apps and the content of open windows. Ultimately, EventBot exfiltrates device data to its command and control (C2) server.
The Nocturnus team said it had tried to identify the threat actors behind the trojan, but without success so far. It has tracked no conversations about EventBot on underground platforms, which Dahan said strengthened his suspicions that it is still undergoing rapid development and has not been officially marketed or released. It has certainly not yet been used in any large attack campaigns.
Despite this, the emergence of EventBot as a legitimate threat serves as a reminder to organisations to step up their defences against threats targeting mobile devices, the use of which is particularly high right now as millions of people work remotely.
As a matter of course, organisations running Android mobile device estates – as well as individual consumers – should always: keep devices up to date with the latest software updates from legitimate sources; keep Google’s Play Protect service switched on; only ever download apps from the Google Play store; think carefully about what permissions apps ask for and whether or not to grant them; and if in doubt, check devices’ APK signatures and hashes via sources such as VirusTotal before installing them; and use mobile threat detection services if possible.
A full disclosure blog detailing the Nocturnus’ team’s research, including indicators of compromise (IOCs) and information on the various iterations that EventBot has gone through, can be read here.