A dangerous Trojan-style mobile banking malware bot called EventBot has been uncovered by researchers at online security company Cybereason.
The malware bot masquerades as a well-known app like Microsoft Word or Adobe Flash, and, once downloaded, siphons data, allowing it to snatch bank details and bypass two-step authentication. The malware has targeted users of more than 200 financial apps, including banking and money transfer.
Still in its developmental stages, EventBot attacks Android’s accessibility features to steal data from victims. Financial and banking apps targeted include Paypal Business, Barclays, CapitalOne Uk, HSBC UK, TescoBank, Santander UK and 100 others.
Applications across the United States, Italy, the UK, Spain, Switzerland, France and Germany have been targeted. The report released by Cybereason on April 30 stated: “This brand-new malware has real potential to become the next big mobile malware.”
Where Did This Banking Malware Bot Come From?
According to the Cybereason Nocturnus team, the malware is evolving rapidly with new versions being released every few days implementing improvements and new capabilities.
“The first version that we saw was very premature or experimental” Assaf Dahan, the lead researcher on the Cybereason team told Computer Business Review.
“You could see that the code was not finished or obfuscated. There weren’t many protections around it. It didn’t have all the features the later versions had. We could see very interesting, quick development cycles”.
Each new version of the bot found online expands its functionality and works to shield the malware from analysis.
When installed, the bot will request permissions on the device that, amongst others, will allow it to receive and read text messages and to read from external storage.
It’s Got Enormous Scope to do Quite a lot of Damage
Once up and running, EventBot will prompt the user to give it access to accessibility services.
“[EventBot has] got enormous scope to do quite a lot of damage because it goes under a number of different well-known applications”, Alyn Hockey, Vice President of Product Management at cyber security company Clearswift told Computer Business Review.
“It has a thing called a keylogger, which stores the keys that you press. So if the bot has masqueraded itself as a Paypal app or a Barclays app, it will then remember the keystrokes that you’re using, and be able to infiltrate your bank accounts”.
The Cybereason Nocturnus team is monitoring multiple underground platforms to try to dig out information relating to the malware. New viruses are often introduced to underground communities by being promoted and sold or offered as a giveaway. These signs do not appear to have emerged yet, which means that this malware is still under development and has not been officially marketed or released.
Hockney went on to admit: “This virus has got enormous scope to do quite a lot of damage”.
Don’t Go Before You’ve Read This! Critical Vulnerability in Data Centre Configuration Tool Gives “Full Remote Command Execution as Root