A new form of mobile banking malware has been discovered that exploits the accessibility features of Android to exfiltrate confidential data from financial apps, read consumer SMS messages and hijack two-factor authentication codes based on SMS.
Named “EventBot” by Cybereason analysts, the malware will target more than 200 specific financial applications, including banking, money transfer services, and crypto-currency wallets such as Paypal Corporation, Revolut, Barclays, CapitalOne, HSBC, Santander, TransferWise, and Coinbase.
“EventBot is particularly interesting because it is in such early stages,” the researchers said. “This brand new malware has real potential to become the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications.”
The program, first reported in March 2020, hides its sinister intent by posing as legitimate applications (e.g., Adobe Flash, Microsoft Word) on rogue APK stores and other questionable websites, which need comprehensive system permissions when enabled.
The rights provide links to security settings, being able to read from external files, sending and receiving SMS messages, working in the background and loading itself after device booting.
If a user grants access, EventBot operates as a keylogger and can “retrieve notifications about other installed applications and open window content,” in addition to taking advantage of Android’s accessibility services to capture lockscreen PIN and transmit all the data collected to an attacker-controlled server in encrypted format.
The ability to parse SMS messages also makes the banking trojan a useful tool for bypassing SMS-based two-factor authentication, thus giving the opponents easy access to the cryptocurrency wallets of a victim and stealing funds from bank accounts.
This isn’t the first time financial institutions have been attacked by smartphone malware. Last month, IBM X-Force researchers outlined a new TrickBot program, dubbed TrickMo, which was discovered specifically targeting malware users in Germany who misused accessibility apps to steal a one-time password (OTP), mobile TAN (mTAN), and pushTAN authentication codes.
“Giving an intruder access to a mobile device may have serious business implications, particularly if the end-user uses their mobile device to address important business issues or access financial details for businesses,” concluded Cybereason researchers. “This can lead to brand degradation, loss of reputation or loss of consumer confidence.”
EventBot’s family of malicious apps may not be active on the Google Play Store, but it’s yet another reminder of why users should stick to official app stores and avoid sideloading apps from untrusted sources. Google Play Protect will also go a long way to shielding users against ransomware by holding the apps up-to-date and turning them on.