Researchers from Cybereason found a new Android malware called EventBot, thatโs actively exploiting the financial applications for sensitive data. Itโs found to be targeting users from European and US countries, and specifically their banking and cryptocurrency apps. While itโs still in development, researchers believe this can turn into a serious threat in the future, citing its advanced capabilities.
Reading Financial Data With Deep Access
It all starts with the malware, impersonating as a legitimate app thatโs being downloaded from some fraud APK stores. Upon installation, it asks for permissions which are deeper as admin rights. EventBot is exploiting the Androidโs Accessibility privileges, by tricking the user to allow it to several permissions like accessibility, reading external storage, opening network sockets, running in the background, and package installation controls.
All these will allow the malware to steal sensitive data from usersโ banking and cryptocurrency apps. Researchers found the malware is targeting applications from banks like PayPal, Coinbase, TransferWise, Barclays, Revolut, and CapitalOne UK. Most of them are based in the United States or Europe. Apart from stealing information, itโs also capable of spying on users too.
Still Under Development
The malware is a sophisticated keylogger, as it can steal not just the financial data, but also read SMS messages received to the phone, thus compromising the 2FA too. The accessibility privilege lets EventBot control autofill content, do web injections, reading screen PINs, and do surveillance. And all the data stolen is transferred to the authorโs C2 server encrypted in Base64, RC4, and Curve25519 schemes.
Researchers say that EventBotโs recent versions were found using ChaCha20 library for improved performance, but are not using it anymore. Itโs clear that authors are actively developing the malware to be more advanced, thus researchers warn us about EventBot having serious implications in the future.
While thereโs no clue yet what this malware could be linked to, as itโs still in development, researchers presumably attribute it to a malware back in 2019, which targeted similarly in Italy.
Via: ZDNet