A pernicious new malware that steals Android mobile banking data has been discovered, and it’s targeting Android users throughout Europe and the United States.
“Eventbot” leverages Android accessibility to reap private data from financial applications. It also has the ability to hijack SMS-based two-factor authentication codes, and it can even read user SMS messages. A very foreboding mix of capabilities.
“This one is especially dangerous,” remarks Emilio Simoni, Research Director at dfndr lab, “Eventbot is a trojan that targets over 200 different financial apps.” Simoni explains that these include banking, money transfer services, and crypto-currency wallets like Coinbase, Paypal Business, TransferWise, HSBC, CapitalOne, Santander, Revolut, and Barclays… and many more.
First identified in March 2020, Eventbot makes its way onto phones by posing as a legitimate app: Adobe Flash, Microsoft Word, and similar. Eventbot primarily resides on unofficial Android App stores and other unauthorized websites, it has also been delivered through bulk SMSs and Emails, typically offering special savings on popular Android apps.
When installed, Eventbot requests a robust list of permissions, including accessibility settings; “read” permission from external storage; the ability to send and receive SMS messages; run in the background; and launch after system boot.
Users who grant these permissions unwittingly enable EventBot to operates as a keylogger, which can extract notifications about other installed applications, and scan and scrape the content of open windows. It also further-leverages Android’s accessibility services to steal the lock-screen PIN — then sends all of its stolen data in an encrypted format to its command-center server.
Simoni explains: “The ability to track SMS messages also enables this malware to pass-through SMS-based two-factor authentications, which opens the gates wide for financial attacks of the very worst kind.”
“It’s important to always rely on a security mechanism. dfndr security, for example, has a Safe App Installer feature that is designed expressly to deal with dangerous apps like this,” Simoni offers, “This feature lets you know if an app is safe before you ever install it, and its updated constantly by the PSafe security team. We scan the web constantly for updates and information to enrich our database.”
With Safe App Installer, any app you intend to install will be rated for trustworthiness. There are two levels of alert if the feature discovers an issue:
“Eventbot would absolutely trigger a security alert,” Simoni notes.
The free version of dfndr security also has an anti-hacking capability that blocks scams directly on the SMS app, web browsers and messaging apps (WhatsApp and Facebook Messenger). It also offers a URL checker to check the security of any URL you enter.
One of the easiest ways to protect yourself is to make sure that you are only downloading mobile apps from authorized sources,” Simoni emphasizes. “With malwares as dangerous as Eventbot making the rounds, you have to be doubly alert and careful with any unofficial links.” As a rule, you’ll want to avoid any links sent by people unknown to you, and from bulk marketing SMSs and Emails. Finally, be careful with permissions required by various apps — if the list is extremely long or doesn’t make sense, be on guard.
One of the best ways to protect your information now is to upgrade your dfndr security app (if you haven’t already) to PRO. (This link will help you learn more, and you can use it to download PRO if you decide it’s right for you.).
With dfndr Pro in your toolbox, the rest is a matter of staying as aware as you can to protect yourself and your family. PSafe will continue to provide updates here for new malwares that we discover that is especially noteworthy.
This one is VERY dangerous, so be careful out there!
Learn all about one of the hackers' favorite breach method and keep your company safe…
Have you ever wondered how to recover deleted photos on Android? After all, the lack…
Digital worms are among the most serious threats in the wild kingdom of the Internet.
Spoofing is a fairly sophisticated virtual scam that can fool even the most cautious and…
Five Steps to Reduce QR Code Risk! Step one? Read this article…
Pharming is creating a new, dangerous brand of impostor syndrome. Check how to avoid pharming…