security experts from Cybereason Nocturnus have discovered a new Android malware called EventBot aimed at banks and financial institutions across Europe.
Cybereason Nocturnus researchers have discovered a new Android malware called EventBot, aimed at banks and financial service providers across Europe.
Malware emerged in the threat landscape in March and implemented the possibility of information theft/PAT.
The Cybereason Nocturnus team is investigating EventBot, a new type of malware for Android mobile devices that appeared around March 2020. EventBot is a Trojan horse and mobile banking information filter that abuses Android’s access capabilities to steal user data in financial applications, read users’ text messages, and steal text messages to enable a malicious program to bypass the two-factor authentication.
Android malware focuses on more than 200 mobile financial and encryption applications, including Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase and paysafecard.
The majority of the victims are financial bankers from the United States and Europe, including Italy, Great Britain, Spain, Switzerland, France and Germany.
EventBot is still in its infancy and has the potential to become one of the most dangerous malware in the threat landscape if continuously improved.
EventBot has misused Android’s access features to steal information about target devices by broadcasting a completely fraudulent third party MOT store disguised as legitimate applications.
EventBot can intercept text messages and bypass two-factor authentication mechanisms by taking advantage of Android’s availability feature.
After implementation, the malware requires several rights, including access to access functions, packet installation management, the ability to open network connections, read from external storage and run in the background.
By analyzing the HTTP packages of EventBot version 0.0.0.1, experts discovered that EventBot downloads and updates a configuration file containing nearly 200 different financial application targets.
The malware also downloads command and control (C2) URLs, and C2 communication is encrypted with Base64, RC4 and Curve25519.
More recent versions of EventBot also include the ChaCha20 library, which may improve performance but is currently not in use, indicating that the authors are actively working to optimize EventBot.
An analysis of the infrastructure of EventBot and C2 reveals a potential connection to another Android thief that was used to attack Italian users in the fall of 2019.
This malware exploits the Android access feature to steal user information and has the ability to update the code every few days and publish new features. With each new version, the malware adds new features, such as dynamic loading of libraries, encryption and configuration of different locations and vendors.
Although the actor responsible for EventBot’s development is still unknown and malware does not appear to be involved in major attacks, it is interesting to follow the early stages of mobile malware development.
Vote for the European Blogger Award for Cyber Security – Vote for YOUR PERSPECTIVE
(Security issues – Android, malware)