Security researchers have discovered a highly capable mobile banking Trojan named EventBot that is exploiting Android’s accessibility features to target users of over 200 different financial applications such as PayPal, Barclays, HSBC UK, and others.
Security researchers from the Cybereason Nocturnus team that unearthed EventBot believe that the malware has real potential to become the next big mobile threat as the malware is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications.
The researcher found that EventBot is capable of stealing user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication. The list of financial applications on Android that are vulnerable to the malware trojan includes Paypal Business, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, and Coinbase.
“EventBot could be the next influential mobile malware because of the time the developer has already invested into creating the code and the level of sophistication and capabilities is really high,” said Assaf Dahan, senior director and head of Threat Research at Cybereason.
“By accessing and stealing this data, Eventbot has the potential to access key business data, including financial data. Mobile malware is no laughing matter and it is a significant risk for organisations and consumers alike,” he added.
According to Cybereason, EventBot specifically targets financial banking applications across the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany.
“This malware abuses the Android accessibility feature to steal user information and is able to update its code and release new features every few days. With each new version, the malware adds new features like dynamic library loading, encryption, and adjustments to different locales and manufacturers. EventBot appears to be a completely new malware in the early stages of development, giving us an interesting view into how attackers create and test their malware.
“Once this malware has successfully installed, it will collect personal data, passwords, keystrokes, banking information, and more. This information can give the attacker access to personal and business bank accounts, personal and business data, and more,” the firm added.
Even though the malware trojan is highly capable and effective, Android mobile users can prevent their devices and apps from infection by keeping their devices up to date with the latest software updates from legitimate sources, keeping Google Play Protect on, not downloading apps from third party app stores, and by using mobile threat detection solutions for enhanced security.
This isn’t the first time that malicious hackers have developed highly-capable banking trojans to target banking, financial or cryptocurrency apps. Over two years ago, researchers at security firm Quick Heal discovered a banking trojan dubbed Android.banker.A2f8a that targeted 232 banking apps by hiding behind a fake Flash Player app and obtaining administrative rights to Android devices.
The Android banking trojan was capable of stealing login credentials by displaying fake login screen over apps, hijacking SMSs, and uploading contact lists and SMSs on a malicious server. Not only did the Android banking trojan collect all SMSs stored in a device, it also set a device’s ringer volume to silent to ensure users did not notice new notifications from banks.
The banking trojan targeted a number of apps run by prominent Indian banks like the State Bank of India, Axis Bank, HDFC Bank, ICICI Bank, IDBI Bank, Union Bank of Commerce, and Bank of Baroda as well as banks and cryptocurrency exchanges in other countries like Bitfinex, Bitconium, Freewallet, WUBS Prepaid, Alfa-Direct, GarantiBank, QNB Finansinvest, Commerzbank, PayPal, Bank of America, Wells Fargo Bank, NatWest Bank, Halifax and Santander UK.