A new form of Android mobile malware has emerged in the threat landscape with its eye on consumer and business financial data.
On Thursday, the Cybereason Nocturnus team said that EventBot appeared in March and combines a Trojan and information stealer capable of exfiltrating user financial application data, as well as conducting covert spying on victims.
EventBot targets over 200 mobile financial and cryptocurrency applications, including those offered by PayPal, Barclays, CapitalOne UK, Coinbase, TransferWise, and Revolut. Financial and banking services across Europe and the United States are specifically targeted.
The malware appears to still be under active development, with indicators including version numbers 0.0.0.1, 0.0.0.2, and 0.3.0.1, as well as IDs named with “test” in the codebase.
EventBot abuses Android’s accessibility features to compromise devices. After being downloaded — which researchers believe will likely through rogue APK stores upon formal release, unless an operator is able to smuggle it past Google Play security — the malware, masquerading as a legitimate application, first asks for a set of permissions.
The permissions requested includes access to accessibility features, package installation controls, the ability to open network sockets, to read from external storage, and the option to run in the background, among others.
If a victim accepts the requests, the malware can “operate as a keylogger and can retrieve notifications about other installed applications and content of open windows,” the researchers say, and will automatically download and update a configuration file containing the financial app target list.
Currently, the majority of targeted institutions are in Italy, the UK, Germany, and France.
Command-and-control (C2) URLs are also downloaded. Information sent between EventBot and C2s is encrypted using Base64, RC4, and Curve25519.
“All of the most recent versions of EventBot [also] contain a ChaCha20 library that can improve performance when compared to other algorithms like RC4 and AES, however, it is not currently being used,” the team notes. “This implies that the authors are actively working to optimize EventBot over time.”
The malware gathers system data from the target device, grabs SMS messages — a useful feature for bypassing two-factor authentication (2FA) — and is able to perform web injections, grab Samsung screen PINs, conduct surveillance, and steal data not only from the user’s device but also from applications, due to the abuse of accessibility features that gives EventBot control of a variety of features such as auto-filling, combined with its keylogger module.
Cybereason believes EventBot has the potential to become a serious mobile threat in the future, as “it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications.”
As the malware still appears to be in development, Cybereason was unable to find any concrete links for attribution purposes. However, EventBot’s infrastructure and C2 did reveal a potential link to an Android information stealer previously spotted in late 2019 while conducting attacks in Italy.
Cybereason says that EventBot highlights how mobile attacks are becoming more common, a problem not just for consumers using financial applications, but also for businesses that rely on the same technology to access company financial data — an issue which may now become more critical due to the shift to remote working caused by COVID-19.
According to the researchers, roughly a third of malware now targets mobile endpoints, and it is possible that EventBot will become a more substantial threat in the future.
Earlier this month, Bitdefender disclosed the existence of dark_nexus, a new botnet that the team says “puts to shame” other botnets due to its extremely advanced capabilities and features. The team said dark_nexus has code links to both Mirai and Qbot, but the botnet’s infrastructure is far more robust than either of the well-known botnets.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0