Researchers at Cybereason Nocturnus have discovered EventBot, a new type of Android mobile malware that exploits Android’s accessibility features. It steals the victim’s data from financial applications installed on their Android mobile(s) by reading the inbox messages and thus allowing the malware to bypass user security measures like the two-factor authentication (2FA).
EventBot Android Malware
- EventBot is an Android banking Trojan belonging to the mobile malware
- Theft of one’s financial information by exploiting Android’s accessibility feature is the modus operandi of this malware.
- On its successful installation, EventBot collects a victim’s personal data including passwords, keystrokes, banking information, and more. This set of information can be used for identity theft, transaction hijacking, and more.
- It is known to specifically target users across the U.S. and Europe, including Italy, the U.K., Spain, Switzerland, France, and Germany.
- Over 200 finance-based applications are potentially affected by EventBot Android malware, which includes banking, money transfer services, and e-wallet applications like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, Paysafecard, and many more.
Preventive Measures for EventBot
- Download mobile apps from official and authorized sources only. Avoid unofficial links sent by unknown people and from bulk marketing SMSs and Emails. It could be a smishing or phishing For legit Android apps go to the Google Play Store and double-check for Verified by Play Protect assurance symbol.
- Check the app permissions requested. Critically analyze whether these permissions are required and should be granted to a certain application.
- Even if a slight doubt persists, check the APK signature and hash values of the application in sources like VirusTotal before installing it on your device.
|Threat type||Android malware, a mobile banking trojan|
|Target Industry||Finance (including banking, money transfer services, and e-wallets)|
|Target Audience||Europe & the U.S.|
|Campaign Active Since||From at least March 2020|
|Features||Dynamic library loading, encryption, and adjustments to different locales and manufacturers.|
|Domain Indicators||· themoil[.]site
|IP Indicators||· 185.158.249[.]141
|Damages caused||Financial and confidential data of the victim can be compromised.|
Indicators of Compromise (IOC)
41cf4ca70cf52b6682303a629193da78ab00701da6aed5650b72015c056920da, and more.