Home News Malware Alert! New Android Mobile Banking Trojan ‘EventBot’ Debuts

Malware Alert! New Android Mobile Banking Trojan ‘EventBot’ Debuts

Armor Piercer

Researchers at Cybereason Nocturnus have discovered EventBot, a new type of Android mobile malware that exploits Android’s accessibility features. It steals the victim’s data from financial applications installed on their Android mobile(s) by reading the inbox messages and thus allowing the malware to bypass user security measures like the two-factor authentication (2FA).

EventBot Android Malware

  • EventBot is an Android banking Trojan belonging to the mobile malware
  • Theft of one’s financial information by exploiting Android’s accessibility feature is the modus operandi of this malware.
  • On its successful installation, EventBot collects a victim’s personal data including passwords, keystrokes, banking information, and more. This set of information can be used for identity theft, transaction hijacking, and more.
  • It is known to specifically target users across the U.S. and Europe, including Italy, the U.K., Spain, Switzerland, France, and Germany.
  • Over 200 finance-based applications are potentially affected by EventBot Android malware, which includes banking, money transfer services, and e-wallet applications like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, Paysafecard, and many more.

Preventive Measures for EventBot

  • Download mobile apps from official and authorized sources only. Avoid unofficial links sent by unknown people and from bulk marketing SMSs and Emails. It could be a smishing or phishing For legit Android apps go to the Google Play Store and double-check for Verified by Play Protect assurance symbol.
  • Check the app permissions requested. Critically analyze whether these permissions are required and should be granted to a certain application.
  • Even if a slight doubt persists, check the APK signature and hash values of the application in sources like VirusTotal before installing it on your device.
Threat Summary
Threat Name EventBot
Threat type Android malware, a mobile banking trojan
Target Industry Finance (including banking, money transfer services, and e-wallets)
Target Audience Europe & the U.S.
Campaign Active Since From at least March 2020
Features Dynamic library loading, encryption, and adjustments to different locales and manufacturers.
Domain Indicators ·    themoil[.]site

·    ora.carlaarrabitoarchitetto[.]com

·    ora.studiolegalebasili[.]com

·    rxc.rxcoordinator[.]com

·    Ora.blindsidefantasy[.]com

·    Pub.welcometothepub[.]com

·    marta.martatovaglieri[.]it

IP Indicators ·    185.158.249[.]141

·    185.158.248[.]102

·    50.63.202[.]81

·    185.158.248[.]102

·    31.214.157[.]6

·    208.91.197[.]91

Damages caused Financial and confidential data of the victim can be compromised.

Indicators of Compromise (IOC)

SHA256

1cfce7df49ce5dc37d655d80481a3a6637d2e7daff09ceede9d8165fae0fce5f

05782e267bd62de78a3db22b1a83ddd3c72cbef95f5a5bc9defdd42a4f5786ec

199859a2929af5431df4a4760f93c83472dc21ea0b9e33d9e45439052de44ab3

6cbb2040ab1f8244fc1bbfdb2af0452ff2bb4fef738011e82af38aac4b7255e5

43d08b8c16d1d26872206c99c93785cac75c983eaae8c8030e5b0ce9defe1755

f4dd5da58965893bd7011aa02aa41d7fae835789c71ad97df2dc77f85e357abc

41cf4ca70cf52b6682303a629193da78ab00701da6aed5650b72015c056920da, and more.