EventBot Is Ready to Steal Online Banking Passwords and 2FA Verification Codes
Although the online threat landscape changes all the time, the number of new names that appear on it isn't actually that huge. In fact, most of the so-called new malware families are either revamped versions of existing threats or collections of modules and components stolen from known strains and put together under a new name. Security researchers rarely see brand new malware samples that have been written from the ground-up, and the few threats that have been built from scratch are usually unsophisticated and live a rather short life. There are exceptions to these rules, however, and it looks like EventBot might be one of them.
Table of Contents
EventBot – a brand new Android malware family that targets more than 200 banking applications
In early-March, security researchers from Cybereason stumbled upon a previously undocumented Android banking trojan called EventBot that, upon closer inspection turned out to be brand new. In fact, the malware is still in development. When they launch it, the crooks plan to mask it as the Android versions of various software products like Adobe Flash and Microsoft Word, but until then, they have apparently decided that they have a lot of work to do.
In a matter of a few weeks, Cybereason's researchers found no fewer than four different versions of the EventBot trojan. Each of them came with new unique features that made it better than the previous ones.
In an interview for TechCrunch, Assaf Dahan, head of threat research at Cybereason said that EventBot's developers have invested a lot of resources into their creation, and the result is a highly sophisticated and extremely capable banking malware.
EventBot's main goal is to quietly steal victims' login credentials for "over 200" banking, money transfer, and cryptocurrency applications. It can do a lot more than that, though.
How EventBot works
Upon installation, EventBot asks for a wide range of permissions, which are essential for the malware's operations. After that, it requests access to the phone's accessibility services and downloads a configuration file from its Command & Control (C&C) server. Using the permissions it's received during the installation, it creates a file and fills it with information about the compromised device and the apps installed on it. This file is sent back to the C&C over an encrypted connection, and then the real malicious operation can start.
As we mentioned already, EventBot is currently receiving regular updates, and the new versions make it not only harder to detect, but also more versatile. In addition to improvements like a stronger encryption mechanism for the communication with the C&C, the crooks are adding features that let EventBot record keystrokes, read notifications from other applications, and intercept SMS messages. As a result, EventBot's operators can theoretically steal the one-time passwords that you receive as text messages, bypass two-factor authentication, and compromise your account. That's the theory, but what about the practice?
How dangerous can EventBot be?
This largely depends on what the crooks plan to use to infect victims. Third-party app stores have traditionally been a useful tool for distributing Android malware, but after a series of large-scale attacks, plenty of people became aware of the dangers associated with them and started downloading apps from Google Play only.
Meanwhile, Google made some improvements to the screening process at Android's official app store, but occasional incidents prove that the entire ecosystem's security is not as good as it should be.
Given how much time and effort was put into EventBot, it's reasonable to assume that the crooks will try to come up with a convincing infection vector that will trick a significant number of people. It's not clear when they plan on unleashing the malware onto the world, which means that you may as well start being a bit more careful right now.
