Potentially significant banking malware found in the wild

There’s no evidence yet it’s been used, but it could be dangerous

A potentially enormous exploit targeting online banking apps has been identified by a group of researchers.

The EventBot mobile banking trojan and infostealer could abuse Android’s accessibility features to steal data from more than 200 different banking apps around the world, as well as reading and stealing SMS messages that could theoretically allow it to bypass two-factor authentication.

Discovered by the Cybereason Nocturnus team in March 2020, the EventBot trojan runs the risk of becoming “the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications,” the researchers say.

A cybersecurity nuclear weapon

Though there’s no evidence that the malware has yet been deployed, nor any evidence that anyone has fallen victim to the trojan, Cybereason Nocturnus’s team still felt the need to blow the whistle because of the risk that it posed to the digital banking sector. 

“If you knew that someone was developing a nuclear weapon, you would want to know about it, even if no one got hurt so far,” says Assaf Dahan, one of the team who identified the trojan targeting banking applications across the United States and Europe. “The developer behind Eventbot has invested a lot of time and resources into creating the code, and the level of sophistication and capabilities is really high.”

Dahan and colleagues were persuaded to raise awareness when they looked at the “highly targeted list of 200 apps” that they claim is “a who's who list in banking, money transfer and crypto.” Up to 60% of devices running Android are susceptible to the nascent malware, the researchers reckon.

Targeting Android users specifically

The team of researchers came across EventBot outside the Google Play Store – and are at pains to point out that it currently isn’t on the store. But the information they found out about it and have been tracking as the malware has developed since March shows that it could be a major risk.

Icons, including those for Microsoft Word and Adobe Flash, have been found in the malware’s file structure, hinting that it could try to masquerade as legitimate apps when eventually released. The researchers tracking EventBot’s development believe that it will likely be uploaded to rogue APK stores or unofficial app websites and could spread from there. 

A raft of permissions

Part of the way that EventBot seems to work, based on the research, is by accessing huge amounts of permissions on any device it is installed on. It can run in the background, install packages and read text messages. When installed, it asks for the ability to harness a phone’s accessibility services. Once those are approved, the app can essentially act as a keylogger, siphoning off information in the background.

Digging into the target configuration file, the researchers discovered a long list of financial application targets the malware’s developers seem to be considering hitting. They include large names in the financial sector, including a number from Italy and the UK, as well as the US and elsewhere. 

The researchers have tracked the development of the malware over the course of the last two months and decided to go public to raise awareness proactively, rather than waiting for victims to surface once the trojan is out in the wild. Their advice to try and avoid falling victim to EventBot is relatively simple: don’t download apps from unofficial sources, apply critical thinking when granting phone permissions to apps, and always check the APK signature and hash on sites like VirusTotal before installing.