New EventBot Android malware targets banking apps

Almost every day there’s some Android malware on the scene, but EventBot is well worth being aware of. This Trojan targets European and US mobile banking apps with the aim of stealing login details – including the unique one-time passcodes sent as SMS.

When you log into your banking app, you’ll use various methods that identify you such as a username, password or code. These days, most banks require you to enter a separate code which is different each time: it’s called two-factor authentication and helps to prevent anyone accessing your account if they manage to get hold of your usual login details.

Researchers at Cybereason have been investigating a brand new piece of malware, dubbed EventBot, which tricks you into granting it accessibility permissions in Android so it can read your text messages, steal those one-time passcodes and bypass your bank’s two-factor authentication.

It isn’t the first Android malware to do this: SlemBunk worked in a similar way back in 2016.

The team at Cybereason found that EventBot targets money transfer services and cypto-currency wallets as well as the banking apps you’re probably familiar with. The list includes:

  • Santander UK
  • HSBC UK
  • CapitalOne UK
  • Barclays
  • Monzo
  • TSB Business
  • PayPal Business
  • TransferWise
  • Coinbase
  • Revolut
  • paysafecard 

These are all the apps that EventBot is known to target:

EventBot Android Malware app Icons

EventBot hasn’t been officially released yet, so it’s unusual to have a heads-up this early on a new threat. The team at Cybereason have been tracking updates since they first encountered the malware in March 2020, and it’s becoming more sophisticated every day.

How does EventBot work?

It masquerades as a legitimate app which you might download on your phone. So far, these are the icons it uses, one being Microsoft Word.

EventBot Android Malware app Icons

When you install the app and launch it, it will ask you to grant it permissions such as accessibility and always running in the background so you “get the full functionality” and this is how it gets access to read your text messages and work as a keylogger to steal your passwords and other information.

Obviously this is extremely dangerous as it could have serious consequences, such as emptying your bank account, stealing logins for other services, capturing personal and business information and more.

How to protect your Android Phone from malware

So far EventBot has not been found on the Google Play Store and hasn’t been involved in any major attacks but the usual security advice prevails: only install apps from reputable sources (such as the Play Store) and run good antivirus software on your phone.

Also, if an app asks for permissions, don’t just accept them without even reading them. Carefully consider whether the app should have the access that it’s asking for. Often you can deny certain permissions while allowing others, but if in doubt deny them all and consider deleting the app and finding an alternative, or an alternative source to install it from.

The Cybereason Nocturnus team say it’s likely that when the malware is released it will be uploaded to rogue APK stores and websites, pretending to be real apps.

If you do install APKs manually from these types of places then make sure you check the APK signature and hash on sites such as VirusTotal to find out if they’re genuine or not.

You should be safe if you only install apps from the Google Play store, but even then, it’s worth running a reputable antivirus app on your Android devices. Naturally, Cybereason Mobile detects and blocks EventBot, but that’s for businesses. If you’re after a consumer app check out our recommendations of the best antivirus software. 

Source

Posted in: