Android Malware Alert: EventBot Targeting Financial Banking Apps


As if 2020 didn't do enough to cause problems, a new Android malware was discovered that will soon be unleashed on the public. The malware, which was discovered in March, 2020 by researchers at the cybersecurity firm, Cybereason, does previous malicious apps one better by getting around 2F authentication. The company's head of research, Assaf Dahan, calls the EventBot malware especially malicious and sophisticated.

EventBot was also identified as a commonly downloaded malware by Surfshark’s CleanWeb app with thousands of blocked installs. One of the most commonly attack vectors utilized by EventBot are called “pop unders” where malware installs auto downloaded under a larger window. Most VPNs including Surfshark use a multihop protocol which allows incoming network traffic and downloads to be monitored and screened.

The first line of defense with these attacks is an automated networking monitoring solution.


What We Know About EventBot

This seems to be a brand new malware, and it appears to be evolving since it was first discovered a few months ago. Cybersecurity experts are stumped by who developed the app. It's unique and appears to be created from scratch rather than the standard copy/paste job. Further investigation reveals that multiple samples of the app were uploaded to VirusTotal, an online malware database, and these uploads appear to be from the author.

All can agree that it's tenacious and difficult to detect.

How EventBot Works

According to Cybereason's Nocturne Team, the group that's been studying the malicious app, EventBot can circumvent standard security features like two-factor authentication and embed itself into Android's built-in accessibility features. From there, it abuses devices from within their own operating system.


Once installed, it can break into more than 200 finance and banking apps, including PayPal, HBSC, Capital One, and Coinbase. It can even intercept text messages containing security codes used as a second form of authentication.

All apps targeted by EventBot image 1

Even more horrifying, the app seems to be altering itself every few days in order to up the ante and cause even more destruction.


Although there have been no reports of wide release in the wild, it's feared that it will launch world-wide as soon as development is completed. It is believed that an early version of the malware was used in the 2019 Android Trojan attack launched by a C&C in Italy.

As designed, EventBot becomes embedded in Android-powered devices either through someone with direct access to your phone or by unsuspecting users who install it by accident. It appears just like any other Android app, with nothing suspicious at first other than requests for an unusual amount of access.

Once the app is installed on a device, it first requests permissions from the user that include:


* Displaying on top of other apps

* Installing packages

* Reading external storage


* Opening network sockets

* Receiving SMS messages

* Starting from boot


It will also request permission to access all accessibility features. A file called parseCommand allows cyber criminals to update configuration files, webinjects, and Command & Control (C&C). Newer versions can even track changes in pin codes or passwords, so the usual defenses against such exploits seem almost obsolete. Other alterations discovered include the ability to add dynamic library loading, change locales, and encryption.

Once activated, EventBot begins to query a series of apps, looking for login and other information. It can also harvest data and record keystrokes or taps to gain access to passwords and account logins, exfiltrating and sending all of your information back to the C&C server of the author or any person who bought the code in one of the many underground cyber communities. It's hitting crypto wallets, too.

This whole mess comes at a time when users and businesses are relying on apps to conduct business and access financial institutions due to business closures. There are also quite a few more digital financial transactions occurring as stimulus money makes its way through cyberspace. The app was created to specifically target Android-powered financial apps and institutions throughout Europe and the United States.


Protecting Yourself: How to Avoid Becoming a Victim

Although most new smartphone releases have built-in security features, users will have to be especially vigilant in order to avoid infecting their Android devices with EventBot.

This malicious app is very sophisticated, and each new update brings a new advanced threat. It comes hidden inside other legit-looking apps. Typical security measures won't stop it once it's installed on your phone or mobile device.

EventBot image 1

Does that mean you're going to be helpless once EventBot is unleashed on the public?

No. But, you do need to practice due diligence when selecting apps and installing them on your phone. Fortunately, there are a few things you can do to avoid accidentally installing EventBot on your smartphone or mobile device.

* Make sure to keep Google Play Protect turned on

* Only download apps from trusted sources. You can find legitimate Android apps in the Google Play Store. Never download anything from an unofficial or unauthorized source.

* Keep your device's OS, firmware, and other mobile security solutions updated

* Consider how much you really need any app, and determine how much access anyone but you need to your phone, features, databases, and functions.

* Whenever possible, check the app's APK signature and hash in data banks like VirusTotal.

* Install and use mobile threat detection solutions to beef up your device security.

* If you suspect that you might have a virus or malware, use another device that's not synced with your phone to access accounts temporarily. Uninstall Flash, if you have it on any device. It will be unsupported as of next year, anyway.

In addition, app developers should practice security by design in order to provide users with the most secure software possible. This includes implementing best practices like mobile app shielding and code obfuscation. You can also prevent your apps from running on Android-powered devices that have been compromised by adding in-app rooting protections, enabling developer options, and disallowing "Unknown Sources".

Final Thoughts

At a time of social distancing and unprecedented business closures, you have enough to worry about this year. Our goal is to provide you with the most current information available about cyber threats that target you.

Armed with this info and an availability of technology that protects you from cyber crimes, we hope that you'll be able to ward of EventBot and any other bit of malicious technology that comes your way.