Categories: dfndr News

New Android Malware, “Eventbot” Targets Financial Data

A pernicious new malware that steals Android mobile banking data has been discovered, and it’s targeting Android users throughout Europe and the United States. 

“Eventbot” leverages Android accessibility to reap private data from financial applications. It also has the ability to hijack SMS-based two-factor authentication codes, and it can even read user SMS messages. A very foreboding mix of capabilities. 

“This one is especially dangerous,” remarks Emilio Simoni, Research Director at dfndr lab, “Eventbot is a trojan that targets over 200 different financial apps.” Simoni explains that these  include banking, money transfer services, and crypto-currency wallets like Coinbase, Paypal Business, TransferWise, HSBC, CapitalOne, Santander, Revolut, and Barclays… and many more.

How EVENTBOT Does Its Damage

 First identified in March 2020, Eventbot makes its way onto phones by posing as a legitimate app: Adobe Flash, Microsoft Word, and similar.  Eventbot primarily resides on unofficial Android App stores and other unauthorized websites, it has also been delivered through bulk SMSs and Emails, typically offering special savings on popular Android apps.

When installed, Eventbot requests a robust list of permissions, including accessibility settings; “read” permission from external storage; the ability to send and receive SMS messages; run in the background; and launch after system boot.

Users who grant these permissions unwittingly enable EventBot to operates as a keylogger, which can extract notifications about other installed applications, and scan and scrape the content of open windows. It also further-leverages Android’s accessibility services to steal the lock-screen PIN — then sends all of its stolen data in an encrypted format to its command-center server. 

Simoni explains: “The ability to track SMS messages also enables this malware to pass-through SMS-based two-factor authentications, which opens the gates wide for financial attacks of the very worst kind.”

Protect Yourself

“It’s important to always rely on a security mechanism. dfndr security, for example, has a Safe App Installer feature that is designed expressly to deal with dangerous apps like this,” Simoni offers, “This feature lets you know if an app is safe before you ever install it, and its updated constantly by the PSafe security team. We scan the web constantly for updates and information to enrich our database.”

With Safe App Installer, any app you intend to install will be rated for trustworthiness. There are two levels of alert if the feature discovers an issue:

  • Security Alert: If the app is malware;
  • Privacy Alert: If the app already experienced a data breach;
  • Trusted: If The app is not malware or has never experienced a data breach.

 “Eventbot would absolutely trigger a security alert,” Simoni notes.

The free version of dfndr security also has an anti-hacking capability that blocks scams directly on the SMS app, web browsers and messaging apps (WhatsApp and Facebook Messenger). It also offers a URL checker to check the security of any URL you enter.

Further Safety Measures for EventBot (and Similar Trojans)

One of the easiest ways to protect yourself is to make sure that you are only downloading mobile apps from authorized sources,” Simoni emphasizes. “With malwares as dangerous as Eventbot making the rounds, you have to be doubly alert and careful with any unofficial links.” As a rule, you’ll want to avoid any links sent by people unknown to you, and from bulk marketing SMSs and Emails. Finally, be careful with permissions required by various apps — if the list is extremely long or doesn’t make sense, be on guard.

Consider dfndr Pro

One of the best ways to protect your information now is to upgrade your dfndr security app (if you haven’t already) to PRO.  (This link will help you learn more, and you can use it to download PRO if you decide it’s right for you.).

 With dfndr Pro in your toolbox, the rest is a matter of staying as aware as you can to protect yourself and your family. PSafe will continue to provide updates here for new malwares that we discover that is especially noteworthy.

This one is VERY dangerous, so be careful out there!

PSafe Newsroom

The dfndr blog is an informative channel that presents exclusive content on security and privacy in the mobile and business world, with tips to keep users protected. Populated by a select group of expert reporters, the channel has a partnership with dfndr lab's security team. Together they bring you, first-notice news about attacks, scams, internet vulnerabilities, malware and everything affecting cybersecurity.

Share
Published by
PSafe Newsroom

Recent Posts

Vulnerabilities in Cyber Security: what they are and how to fix them?

Learn all about one of the hackers' favorite breach method and keep your company safe…

1 year ago

3 ways to recover deleted photos on Android

Have you ever wondered how to recover deleted photos on Android? After all, the lack…

1 year ago

What is worm?

Digital worms are among the most serious threats in the wild kingdom of the Internet.

2 years ago

Spoofing: What’s it all about?

Spoofing is a fairly sophisticated virtual scam that can fool even the most cautious and…

2 years ago

Careful With That QR Code! Five Steps For QR Code Safety

Five Steps to Reduce QR Code Risk! Step one? Read this article…

2 years ago

Pharming: Phishing’s Nasty Big Brother

Pharming is creating a new, dangerous brand of impostor syndrome. Check how to avoid pharming…

2 years ago