EventBot Malware Logs Keystrokes, Stealing Banking Credentials and Other Private Data
Security experts recently discovered a new type of Android mobile banking malware. It abuses Android's accessibility features in order to read user SMS, exfiltrate sensitive data from financial apps, and hijack two-factor authentication codes (SMS-based).
Cybereason researchers dubbed this malware "EventBot". This malware can target more than 200 financial apps, including money transfer services, banking, and crypto-currency wallets like Paypal Business, Barclays, Coinbase, Revolut, TransferWise, HSBC, CapitalOne, and Santander.
The researchers note that EventBot is currently in early stages, which makes it particularly interesting object for research. The experts say that this new malware is pretty likely to become the next big mobile malware, because it abuses a critical operating system feature, and targets financial applications. What is more, the malware is constantly being improved.
The distribution campaign was first identified in March 2020. Malware was disguised as legitimate applications, such as Adobe Flash or Microsoft Word. When installed on the device, the program requests extensive permissions, which include access to accessibility settings, the ability to send and receive SMS messages, read from external storage, launch itself after system boot, and run in the background.
If the user agrees to give these permissions, EventBot starts operating as a keylogger. It is capable of retrieving content of open windows and notifications about applications installed on the device. Also, the malware exploits Android's accessibility services to steal lockscreen PIN and send the collected data to the server controlled by the attacker.
Since this banking trojan is able to parse SMS messages, it can be used for bypassing SMS-based two-factor authentication. It helps cybercriminals access victims' cryptocurrency wallets and steal money from their bank accounts.
Cybereason researchers warn that the attacker's access to a user's mobile device can have severe consequences, especially if the end user is using this mobile device to discuss sensitive business topics or access corporate financial data.
Also, they remind users to avoid sideloading apps from untrusted sources and stick to official app stores. Turning on Google Play Protect and keeping all software updated and turning on Google Play Protect can also help protecting mobile devices from malware.