Researchers at Cybereason, a cybersecurity firm based in Boston, MA, have exposed a novel banking trojan attacking
Android mobile devices dubbed
Eventbot. The Eventbot malware was
developed with original code from the
ground up and is significantly different
from all previously known Android malware code. The originality of the malware and its rapid development process,
releasing a new version every few days,
suggests that the actors behind its development are highly sophisticated and determined to make Eventbot a capable
piece of malware.
Recent updates to the
malware have included the ability to perform dynamic library loading, enhanced
encryption schemes, and adjustments to
different locales and device manufacturers.
The Eventbot malware abuses Androids
accessibility features to harvest sensitive
information from the device such as keystrokes, PINs, and SMS messages.
The
Accessibility Services are typically used to
help users with disabilities by giving them
a meaningful way to interact with the
device. Accessibility Services can process
the information on the screen and present it to the end-user in formats that are
more digestible but also, has the ability
to write input into fields, auto-generate
permissions on the device, perform
screen gestures and more.
The SMS message harvesting feature of the Trojan allows it to bypass two-factor authentication often employed by legitimate banking apps to verify the identity of mobile
users by abusing the accessibility feature
which can write input from the screen
into a form field. The malware itself masquerades as a legitimate Android app, and
once installed it is designed to siphon off
credentials for over 200 banking and cryptocurrency sites. Banking apps such as
PayPal, HSBC, Capital One are a few of the
many apps at risk from Eventbot’s data
harvesting and two-factor bypass features.
Mobile malware targeting financial apps
has become a significant risk to consumers
and businesses alike and must be considered when mobile banking is the third
most popular activity performed on mobile devices, right behind logging into social media apps and checking the weather.
Furthermore, over 60% of devices accessing or containing enterprise data are now
mobile devices, meaning if an attacker
gains access to a mobile device, the consequences for business can be catastrophic.
With the wealth of sensitive activities now
being performed on mobile devices, most
of which having little or no end-point protections installed beyond the basic app
store verification, these attacks will only
become more common.
It is now estimated that over a third of all malware is designed to target mobile devices, this poses
significant challenges for consumers, let
alone organizations that allow bring-your own-devices.
Sources:
- https://www.finextra.com/pressarticle/82346/new-android-banking-trojan-affects-200-financial-apps
- https://techcrunch.com/2020/04/29/eventbot-android-malware-banking/