Security researchers at Cybereason are warning of a new mobile banking trojan that steals details from financial apps and intercepts SMS messages to bypass two-factor authentication mechanisms. According to experts who have examined the code of the malware, known as EventBot, it differs substantially from previously known Android malware - suggesting that it might be written by a new group of cybercriminals. Any malware that can harvest banking passwords and financial data, and waltz past protection mechanisms like 2FA, to break into accounts is obviously a concern, but what makes EventBot more troubling is the broad range of targets in its sights. EventBot targets a list of over 200 different banking and finance apps, most of which are designed for banks and cryptocurrency wallet services.
Amongst the apps targeted are PayPal Business, Revolut, Barclays, UniCredit, CapitalOne, HSBC, Santander, TransferWise, and Coinbase. Cybereason's researchers have published a full list (PDF) if you wish to check if your particular app might be at risk. What is also troubling is that EventBot was first seen in March 2020, and yet despite its infancy has demonstrated a high level of sophistication, with its unknown developers actively pushing out new versions every few days.
"With each new version, the malware adds new features like dynamic library loading, encryption, and adjustments to different locales and manufacturers."
One piece of good news is that so far the malware does not appear to have been able to inveigle its way into the official Google Play store, meaning that it is likely to have only been distributed via third-party marketplaces. Android users need to change their settings to allow apps to be installed from unknown sources, but history has shown that with the right social engineering techniques criminals have been able to trick users into doing just that. Furthermore, upon installation, EventBot - posing as a legitimate application - asks for a wide range of permissions including access to accessibility features, the ability to open network socikets, the ability to run in the background, and package installation controls. The app needs such a wide range of permissions to conduct its dirty work - including stealing keypresses and details from notifications displayed by other apps (such as two-factor authentication codes sent via SMS message.) Cybereason's researchers warn that EventBot "has real potential to become the next big mobile malware." We'll have to see if that prediction comes true or not, but what is much more certain are the steps that Android users should take to protect themselves:
- Keep your Android device up-to-date with the latest security updates from legitimate sources.
- Turn on Google Play Protect - Google's built-in malware protection for Android, which automatically scans your device.
- Download your apps from official sources, such as the Google Play Store - not unofficial app stores.
- Always consider carefully whether you will accept the permissions an app requests upon installation.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
