Home Malware Programs Malware EventBot

EventBot

Posted: April 30, 2020

Mobile Banking Trojans continue to be a very profitable venture for cybercriminals, and malware researchers have identified yet another Android banking Trojan recently, whose activity spiked in March 2020. The threat, dubbed EventBot, is being distributed to targets in Europe and the United States actively – the Trojan is able to mimic the applications and payment pages of popular payment service providers such as PayPal, TransferWise, Coinbase, Paysafecard, Revolut, CapitalOne UK and others.

The EventBot Android Trojan Targets Users in Europe and the US

Often, the criminals behind these campaigns tend to target less-developed countries, but EventBot's authors have other plans, clearly. In addition to going after wealthier targets, the operators of the EventBot Trojan also are applying frequent updates to their threatening application – cybersecurity experts have identified a dozen of variants of the EventBot Trojan, and all of them had minor differences that are likely due to the fact that the project is still being developed.

It seems that the recently discovered samples of the EventBot Trojan were disguised as legitimate mobile applications that were hosted on various services and sites. It is very likely that EventBot's authors will opt to use fake APK files to reach their targets in the future. Once launched, the threatening application would request permission to manipulate Android's accessibility features – a common trick that many banking Trojans use to have full reign over the compromised device.

EventBot's Operators may Bypass 2FA

Once running, EventBot will gain the ability to exfiltrate information about the device's software and hardware, contacts, running processes and installed applications. Furthermore, it can capture and read text messages, so it is possible that the operators of the Trojan may be able to bypass two-factor authentication (2FA.) The attack itself is executed thanks to the Trojan's ability to inject overlays in opened applications and windows – if it detects that the user is accessing one of the targeted financial institutions, it will display a phishing prompt that may be used to collect data or to complete fraudulent transactions.

The EventBot Trojan is already looking like a top-of-the-shelf Android Banking Trojan, and, unfortunately, it seems that its authors are continuing to expand its features with every passing day. This project has the potential to become one of the most high-profile Android threats of 2020, if its operators manage to expand its reach, especially.

Loading...