Pierluigi Paganini April 30, 2020

Security experts from Cybereason Nocturnus team discovered a new piece of Android malware dubbed EventBot that targets banks, financial services across Europe.

Researchers from Cybereason Nocturnus team discovered a new piece of Android malware dubbed EventBot that targets banks, financial services across Europe

The malware first appeared in the threat landscape in March, in implements information stealer/RAT capabilities. 

“The Cybereason Nocturnus team is investigating EventBot, a new type of Android mobile malware that emerged around March 2020. EventBot is a mobile banking trojan and infostealer that abuses Android’s accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication.” reads the analysis published by Cybereason.

Android malware targets over 200 mobile financial and cryptocurrency applications, including Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, and paysafecard. 

Most of the victims are financial banking applications across the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany.

EventBot is in early stages and under constant improvements, it has real potential to become one of the most dangerous malware in the threat landscape.

EventBot abuses Android’s accessibility features to steal information from the target devices, it is distributed thorough rogue third-party APK stores masquerading as legitimate applications.

EventBot can intercept SMS messages and bypass two-factor authentication mechanisms by abusing Android’s accessibility feature.

Upon execution, the malware request multiple permissions, including the access to accessibility features, package installation controls, the ability to open network sockets, to read from external storage, and the option to run in the background. 

By analyzing HTTP packets in EventBot Version 0.0.0.1, experts noticed that EventBot downloads and updates a configuration file with almost 200 different financial application targets.

The malware also downloads the Command-and-control (C2) URLs, C2 communication is encrypted using Base64, RC4, and Curve25519. 

Most recent versions of EventBot also include a ChaCha20 library that can improve performance, but it is not currently being used, a circumstance that suggests authors are actively working to optimize EventBot.

The analysis of the EventBot’s infrastructure and C2 reveals a potential link to another Android info stealer employed in late 2019 in attacks against Italian users. 

“This malware abuses the Android accessibility feature to steal user information and is able to update its code and release new features every few days. With each new version, the malware adds new features like dynamic library loading, encryption, and adjustments to different locales and manufacturers.” concludes the report.

“Although the threat actor responsible for the development of EventBot is still unknown and the malware does not appear to be involved in major attacks, it is interesting to follow the early stages of mobile malware development.”

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

Pierluigi Paganini

(SecurityAffairs – Android, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]