This 'EventBot' Android Malware Is A Trojan, Infostealer, Keylogger, Spyware, And More

Android malware - apps masquerading

Cybercriminals are doing just about anything to get their hands on user data, even when they have to take them by force.

As discovered by researchers from Cybereason Nocturnus, this EventBot malware is an Android infostealer, a keylogger, and a spyware.

It's also a mobile banking Trojan that exfiltrates financial data, and can also intercept SMS messages, which makes it capable of stealing multi-factor authentication codes.

In other words, EventBot is not a simple malware, and can certainly pack a lot more punch.

According to a blog post by the researchers, this malware has emerged recently and bears tremendous functionalities to surpass other Trojans.

EventBot first emerged around March 2020.

EventBot's targets
The Android apps targeted by the EventBot malware.(Credit: Cybereason Nocturnus)
"EventBot targets users of over 200 different financial applications, including banking, money transfer services, and crypto-currency wallets. Those targeted include applications like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more."

"It specifically targets financial banking applications across the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany."

Usually, the malware pretends to be a legit app, such as Adobe Flash Player or other non-threatening apps to easily blend in and avoid suspicion.

Once installed, the malware seek permissions, and will exploit victims' Android Accessibility feature to access other apps, system information, and device data. It then runs in the background to act as a keyloagger to retrieve any typed input from victims on all installed apps.

If it's granted the permission it needs to operate at its fullest capacity, the can ignore battery optimization, persist, read data from external storage, overlay windows on other apps, prevent the phone from sleeping, and more.

EventBot then gathers device data including a list of installed apps, device details such as model number and OS, network information, and other data.

It then transmits all the exfiltrated data to the C&C server in encrypted form.

EventBot's permission requests
EventBot’s permissions as seen in the manifest file. (Credit: Cybereason Nocturnus)

What makes EventBot particularly interesting is because at its early stage, this malware poses real potential damage.

The researchers have initially discovered every new versions of the malware, from version 0.0.0.1, 0.0.0.2, to 0.3.0.1 and 0.4.0.1.

Aside from extensive malicious capabilities, every new version packs more advanced code obfuscation and encryption.

Although, this Android malware is still in its development phase. Yet, considering its potential, the researchers fear that it will emerge as the next big threat for mobile users.

"By accessing and stealing this data, Eventbot has the potential to access key business data, including financial data," said the researchers, adding that "60% of devices containing or accessing enterprise data are mobile, and mobile devices tend to include a significant amount of personal and business data, assuming the organization has a bring-your-own-device policy in place."

"Mobile malware is a significant risk for organizations and consumers alike, and must be considered when protecting personal and business data."

Published: 
12/05/2020