View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
May 1, 2020

Trojan Mobile Banking Malware Bot with ‘Enormous Scope’ Uncovered by Researchers

'If the bot has masqueraded itself as Paypal or Barclays, it will remember the keystrokes you use and be able to infiltrate your bank accounts'

By claudia glover

A dangerous Trojan-style mobile banking malware bot called EventBot has been uncovered by researchers at online security company Cybereason.

The malware bot masquerades as a well-known app like Microsoft Word or Adobe Flash, and, once downloaded, siphons data, allowing it to snatch bank details and bypass two-step authentication. The malware has targeted users of more than 200 financial apps, including banking and money transfer.

Read This! New Mirai Malware Strain Emerges, Scans for 71 Unique Exploits

Still in its developmental stages, EventBot attacks Android’s accessibility features to steal data from victims. Financial and banking apps targeted include Paypal Business, Barclays, CapitalOne Uk, HSBC UK, TescoBank, Santander UK and 100 others.

Applications across the United States, Italy, the UK, Spain, Switzerland, France and Germany have been targeted. The report released by Cybereason on April 30 stated: “This brand-new malware has real potential to become the next big mobile malware.”

Where Did This Banking Malware Bot Come From?

According to the Cybereason Nocturnus team, the malware is evolving rapidly with new versions being released every few days implementing improvements and new capabilities.

“The first version that we saw was very premature or experimental” Assaf Dahan, the lead researcher on the Cybereason team told Computer Business Review.

“You could see that the code was not finished or obfuscated. There weren’t many protections around it. It didn’t have all the features the later versions had. We could see very interesting, quick development cycles”.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Each new version of the bot found online expands its functionality and works to shield the malware from analysis.

When installed, the bot will request permissions on the device that, amongst others, will allow it to receive and read text messages and to read from external storage.

It’s Got Enormous Scope to do Quite a lot of Damage

Once up and running, EventBot will prompt the user to give it access to accessibility services.

“[EventBot has] got enormous scope to do quite a lot of damage because it goes under a number of different well-known applications”, Alyn Hockey, Vice President of Product Management at cyber security company Clearswift told Computer Business Review.

“It has a thing called a keylogger, which stores the keys that you press. So if the bot has masqueraded itself as a Paypal app or a Barclays app, it will then remember the keystrokes that you’re using, and be able to infiltrate your bank accounts”.

The Cybereason Nocturnus team is monitoring multiple underground platforms to try to dig out information relating to the malware. New viruses are often introduced to underground communities by being promoted and sold or offered as a giveaway. These signs do not appear to have emerged yet, which means that this malware is still under development and has not been officially marketed or released.

Hockney went on to admit: “This virus has got enormous scope to do quite a lot of damage”.

Don’t Go Before You’ve Read This! Critical Vulnerability in Data Centre Configuration Tool Gives “Full Remote Command Execution as Root


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.