The Cybereason Nocturnus team has been tracking a new type of Android mobile malware, which combines the functionality of a banking trojan and an infostealer to steal user data from financial applications, and is able to steal SMS messages to bypass two-factor authentication.
The malware, dubbed EventBot, has emerged in March and is currently still at an early stage of development with new versions released every few days with improvements and new capabilities.
EventBot targets over 200 mobile financial and cryptocurrency applications, including apps from PayPal, Barclays, CapitalOne UK, Coinbase, TransferWise, and Revolut. It specifically targets financial banking applications across the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany. The EventBot malware abuses Android's accessibility features to gain access to valuable data such as user information, system information, and data stored in other applications. The trojan is also capable of stealing SMS messages and bypassing two-factor authentication mechanisms.
Once downloaded on a device, the malware, disguised as a legitimate application, first asks for a set of permissions. These include the permissions to allow the app to create windows that are shown on top of other apps, read from external storage, open network sockets, allow the app to access information about networks, let the app run and use data in the background, allow the application to launch itself after system boot, receive and read text messages.
If a victim accepts the requests, the malware can operate as a keylogger and can retrieve notifications about other installed applications and content of open windows, and will automatically download and update a configuration file containing the financial app target list.
At this stage, the researchers have not been able to identify the threat actor behind the EventBot malware, but they believe that “EventBot is still in the development stage, and as such, is not likely to have been used for large attack campaigns thus far.”