EventBot is a sophisticated Android trojan that targets financial apps, including mobile banking apps. It is known for its advanced capabilities and ability to steal sensitive information from infected devices. EventBot’s primary goal is to harvest financial data and credentials to carry out fraudulent transactions and illicit activities.
First identified in March 2020, EventBot is believed to have been disseminated via third-party app stores and malicious websites. By abusing accessibility features on the Android device, the trojan can steal banking app user credentials. The malware can also steal users’ SMS messages and send them to a server to bypass the bank’s multi-factor authentication systems.
Since its initial discovery, attackers have continued to create new versions of the trojan with additional capabilities. Consumers in Germany, Italy, Spain, and the U.K. have been targeted, and 12 banking apps have been compromised.
EventBot employs several novel capabilities to improve its effectiveness:
- The trojan can update configuration files and download new malware modules.
- The icons used in the malware closely resemble those of well-known apps, such as Microsoft Word and Adobe Flash.
- The trojan has established capabilities for creating overlay phishing pages to steal credentials.
Threats Posed by EventBot to Mobile Banking Apps
- Data Theft: EventBot is designed to steal sensitive information, including login credentials, PINs, and financial data, from the user’s device. This information can then be used to gain unauthorized access to the user’s bank accounts and perform fraudulent transactions.
- Keylogging: EventBot includes a keylogging feature that records every user’s keystroke on the infected device. Keylogging allows it to capture usernames, passwords, and other sensitive information users enter.
- Overlay Attacks: EventBot can launch overlay attacks, displaying fake login screens on top of legitimate apps, including mobile banking apps. Users are tricked into entering their credentials, which are then captured by the trojan.
- SMS Interception: EventBot can intercept SMS messages on the user’s device, including one-time passwords (OTPs) and transaction verification codes. This interception allows the trojan to bypass two-factor authentication measures used by banking apps.
- Accessibility Service Abuse: The trojan abuses Android’s accessibility services to gain control over the device’s functions and manipulate app interfaces, making it challenging to detect.
- Device Information Theft: EventBot can gather information about the infected device, such as device identifiers and system details, which can be used to track and profile users.
- Remote Control: Like many banking trojans, EventBot can establish a connection to a command and control (C2) server controlled by attackers. This server connection allows attackers to control the trojan-infected device and execute various commands remotely.
Mitigating the EventBot Threat
To protect your mobile banking app and its users from the EventBot banking trojan and similar threats, consider implementing the following security measures:
- Regular Updates: Keep your mobile banking app and its dependencies up-to-date with the latest security patches and enhancements to address known vulnerabilities.
- User Education: Educate users about the importance of downloading the official app from trusted sources, avoiding suspicious links or downloads, and being cautious with app permissions.
- Multi-factor Authentication (MFA): Encourage users to enable MFA for their accounts to add an extra layer of security.
- Real-time Monitoring: Implement real-time monitoring to detect and respond to suspicious activities within your app and network traffic.
- Secure Coding: Follow safe coding practices to prevent vulnerabilities in your app’s code, including input validation, data encryption, and secure API communication.
- Third-party Library Review: Carefully review and vet third-party libraries or components used in your app for potential security risks.
- Collaborate with Security Experts: Work with cybersecurity experts to conduct security assessments, code reviews, and penetration testing to identify and address your app’s security weaknesses.
- Incident Response Plan: Develop an incident response plan to respond to security incidents or breaches effectively.
By taking these precautions, you can help safeguard your mobile banking app and protect your users from the threats posed by the EventBot banking trojan and other evolving banking trojans.
Learn More about Banking Trojan Families
EventBot is one of the principal families of banking trojans threatening mobile banking and financial apps. Learn more about other prominent banking trojan families:
- BianLian
- Cabassous
- Coper
- ExobotCompact.D
- Octo
- FluBot
- Medusa Trojan
- SharkBot
- TeaBot
- Xenomorph
- Zbot
- Svpeng
- Marcher
- Anubis
- Ginp
- Cerberus Trojan
- BankBot
- Emotet