Last updated on December 8th, 2022 at 02:04 pm
EventBot Android , the malware designed for Android devices targeting over 200 financial applications, could be the “next big mobile malware,” warn researchers who first observed and studied it.
Recently discovered, EventBot Android was designed to steal payment data from users of popular financial applications such as PayPal, Barclays, CapitalOne and many more.
This malware, more precisely an info stealer, has targeted users of over 200 different banking applications, money transfer services and cryptocurrency wallet applications. First identified in March 2020, EventBot is still under development, but researchers warn that it is evolving rapidly with new versions being released every few days.
EventBot is particularly interesting because it is at an early stage in its evolution, but has real potential to become the next big mobile malware, as it is under constant operational improvements, abuses a critical vulnerability of the Android operating system and targets financial applications.
How it works
EventBot was not currently found on the Google Play application market, but researchers said the malware is still disguised as legitimate applications. This leads them to believe that it is probably loaded into APK stores and third-party websites in the guise of real applications, such as Adobe Flash or Microsoft Word apps.
Once installed, the malware requires various permissions on the victims’ devices (always claiming to be a legitimate application). These permissions allow the app to launch after the system restarts, to run and use data in the background, to read and receive text messages, to access information about networks and more.
In addition, EventBot invites the user to access Android accessibility services, opening up a series of potentially security-critical possibilities.
Accessibility services are typically used to assist users with disabilities in using Android devices and applications. However, these are also often abused by malware, from banking Trojans to real spyware.
Access to these permissions gives malware the ability to act as a keylogger and recover notifications about the various applications installed, the researchers said.
In particular, EventBot can intercept SMS messages and bypass two-factor authentication mechanisms.
At run time, EventBot also downloads a configuration file with the 200 different financial app targets. Specific targets are app users in the U.S. and Europe (including Italy, the UK, Spain, Switzerland, France and Germany).
The researchers noticed significant updates over the course of a few weeks while monitoring EventBot.
For example, newer versions include a new method called grabScreenPin, which takes advantage of the accessibility feature to track PIN code changes in device settings.
The PIN is sent to the command and control server (C2), presumably to give malware the ability to perform privileged actions on infected devices related to payments and system configuration options. Also, in more recent versions, the malware has obfuscated the previously not hidden loader.
The researchers were unable to identify any EventBot conversations on underground forums, where new malware is often introduced, promoted and sold – further reinforcing their suspicion that the malware is still under development and has not been officially released. However, they warned that EventBot continues to receive weekly updates, as seen in its botnetID strings, which show consecutive numbering between versions.
With each new version, the malware adds new features such as dynamic library loading, encryption and adjustments to different locales and manufacturers.
