Eventbot malware is a mobile Trojan that steals private and valuable information from mobile banking and financial apps in Android. It hacks into Android’s in-built accessibility features and steals data by reading into SMSs, banking PINs, etc. and bypasses the two-factor authentication criteria that most banking apps have.
Luckily Eventbot malware isn’t on the Google Play store yet. However, they strike through third-party apps by masquerading as popular apps such as Microsoft Word, Adobe Flash Player, etc. Once inside the Android device they have the capability to read notifications, SMS, Pins, etc. and log in to your banking and financial apps. Over time it can also access notifications on your Lockscreen.
Here are a few points you need to keep in mind about Eventbot
1. These malware have icons similar to legitimate applications like Microsoft world, Adobe Flash Player, etc. making it hard for one to identify the malware
2. At launch, these malware seek permission to enable accessibility service
3. It takes installed application info, device info and sends it to a C&C server
4. These malware have the functionality of stealing SMS, accessing screen lock pin, etc
5. It has evolved in 4 versions so far. Older versions use simple packagename “com.example.eventbot” but the latest versions use complicated package names
Till now Eventbot has infected over 200 different financial applications, like Paypal Business, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Paysafecard, and many more.
How can you stay protected from Eventbot malware
Be extremely cautious of what apps you download on your phone. Refrain from downloading apps that look suspicious or asks too many information details at
the time of installing. Always download apps from legitimate sources like Play Store or App Store.
Eventbot is capable of performing overlay attacks (placing windows over other applications). Typically, displayed content (such as data input forms) is very similar or even identical to the real (underlying) website.
Unsuspecting users who enter sensitive information (e.g., login credentials, credit car details) into forms or other content displayed by Eventbot inadvertently provide the details to cyber criminals. Research shows that this Trojan targets banking-related applications and cryptocurrency wallets.
Furthermore, Eventbot is capable of accessing users’ SMS messages. If any messages contain passwords or other confidential details, they might also be stolen.
Cyber criminals behind this Trojan can abuse Accessibility Service, which might allow them to access contacts (names and numbers), lists of installed apps, display push notifications, launch applications and delete them, send text messages, open web addresses and perform other tasks.
In this way, cyber criminals can cause monetary loss, identity theft, problems relating to online privacy, and other serious issues
Eventbot is distributed by disguising it as one of a number of legitimate applications. For example, Microsoft Office Word, Adobe Flash Player, and other apps. In summary, devices are installed when users download and install the malicious app (which seems official).
Typically, these rogue apps are promoted on various unofficial web pages, forums, and other dubious download sources.
How to avoid installation of malware
All applications and files should be downloaded from official web pages and through direct links. Third party downloaders, unofficial sites, free file hosting sites, Peer-to-Peer networks (torrent clients, eMule) are used to distribute unwanted and even malicious apps.
Commonly, third party installers are used to distribute malware as well. Update and activate installed apps using tools or implemented functions that are designed by official developers. Other unofficial, third party tools should never be used, since they can be designed to install malicious software.
Furthermore, it is illegal to activate licensed programs with ‘cracking’ tools. Cyber criminals commonly attempt to infect devices through spam campaigns (emails). Therefore, attachments (and web links) that are included in irrelevant/dubious emails should never be opened, especially if such emails are received from unknown, suspicious addresses.