{"id":20650,"date":"2020-05-11T16:09:20","date_gmt":"2020-05-11T20:09:20","guid":{"rendered":"https:\/\/www.psafe.com\/en\/blog\/?p=20650"},"modified":"2022-04-27T14:51:39","modified_gmt":"2022-04-27T18:51:39","slug":"android-malware","status":"publish","type":"post","link":"https:\/\/www.psafe.com\/en\/blog\/android-malware\/","title":{"rendered":"New Android Malware, \u201cEventbot\u201d Targets Financial Data"},"content":{"rendered":"

A pernicious new malware that steals Android mobile banking data has been discovered, and it\u2019s targeting Android users throughout Europe and the United States.\u00a0<\/span><\/p>\n

\u201cEventbot\u201d leverages Android accessibility to reap private data from financial applications. It also has the ability to hijack SMS-based two-factor authentication codes, and it can even read user SMS messages. A very foreboding mix of capabilities.\u00a0<\/span><\/p>\n

\u201cThis one is especially dangerous,\u201d remarks Emilio Simoni, Research Director at dfndr lab<\/strong>, \u201cEventbot is a trojan that targets over 200 different financial apps.\u201d Simoni explains that these\u00a0 include banking, money transfer services, and crypto-currency wallets like Coinbase, Paypal Business, TransferWise, HSBC, CapitalOne, Santander, Revolut, and Barclays\u2026 and many more.<\/span><\/p>\n

How EVENTBOT Does Its Damage<\/b><\/h3>\n

\u00a0<\/b>First identified in March 2020, Eventbot makes its way onto phones by posing as a legitimate app: Adobe Flash, Microsoft Word, and similar.\u00a0 Eventbot primarily resides on unofficial Android App stores and other unauthorized websites, it has also been delivered through bulk SMSs and Emails, typically offering special savings on popular Android apps.<\/span><\/p>\n

When installed, Eventbot requests a robust list of permissions, including accessibility settings; \u201cread\u201d permission from external storage; the ability to send and receive SMS messages; run in the background; and launch after system boot.<\/span><\/p>\n

Users who grant these permissions unwittingly enable EventBot to operates as a keylogger, which can extract notifications about other installed applications, and scan and scrape the content of open windows. It also further-leverages Android’s accessibility services to steal the lock-screen PIN \u2014 then sends all of its stolen data in an encrypted format to its command-center server.\u00a0<\/span><\/p>\n

Simoni explains: \u201cThe ability to track SMS messages also enables this malware to pass-through SMS-based two-factor authentications, which opens the gates wide for financial attacks of the very worst kind.\u201d<\/span><\/p>\n

Protect Yourself<\/b><\/h3>\n

\u201cIt’s important to always rely on a security mechanism. dfndr security<\/strong>, for example, has a Safe App Installer<\/strong><\/a> feature that is designed expressly to deal with dangerous apps like this,\u201d Simoni offers, \u201cThis feature lets you know if an app is safe before you ever install it, and its updated constantly by the PSafe security team. We scan the web constantly for updates and information to enrich our database.”
\n<\/span><\/p>\n

With Safe App Installer, any app you intend to install will be rated for trustworthiness. There are two levels of alert if the feature discovers an issue:<\/p>\n