Researchers from Cybereason found a new Android malware called EventBot, that’s actively exploiting the financial applications for sensitive data. It’s found to be targeting users from European and US countries, and specifically their banking and cryptocurrency apps. While it’s still in development, researchers believe this can turn into a serious threat in the future, citing its advanced capabilities.
Reading Financial Data With Deep Access
It all starts with the malware, impersonating as a legitimate app that’s being downloaded from some fraud APK stores. Upon installation, it asks for permissions which are deeper as admin rights. EventBot is exploiting the Android’s Accessibility privileges, by tricking the user to allow it to several permissions like accessibility, reading external storage, opening network sockets, running in the background, and package installation controls.
All these will allow the malware to steal sensitive data from users’ banking and cryptocurrency apps. Researchers found the malware is targeting applications from banks like PayPal, Coinbase, TransferWise, Barclays, Revolut, and CapitalOne UK. Most of them are based in the United States or Europe. Apart from stealing information, it’s also capable of spying on users too.
Still Under Development
The malware is a sophisticated keylogger, as it can steal not just the financial data, but also read SMS messages received to the phone, thus compromising the 2FA too. The accessibility privilege lets EventBot control autofill content, do web injections, reading screen PINs, and do surveillance. And all the data stolen is transferred to the author’s C2 server encrypted in Base64, RC4, and Curve25519 schemes.
Researchers say that EventBot’s recent versions were found using ChaCha20 library for improved performance, but are not using it anymore. It’s clear that authors are actively developing the malware to be more advanced, thus researchers warn us about EventBot having serious implications in the future.
While there’s no clue yet what this malware could be linked to, as it’s still in development, researchers presumably attribute it to a malware back in 2019, which targeted similarly in Italy.