New Android Malware Targets PayPal, CapitalOne App Users
Researchers warn that the EventBot Android malware, which targets over 200 financial apps, could be the “next big mobile malware.”
Android mobile malware has been uncovered that steals payment data from users of popular financial apps like PayPal, Barclays, CapitalOne and more.
The info stealer, called EventBot, has targeted users of more than 200 different banking, money-transfer services and general cryptocurrency wallet apps. First identified in March 2020, EventBot’s still in early development – but researchers warn that it’s rapidly evolving with new versions being released every few days.
“EventBot is particularly interesting because it is in such early stages,” said Daniel Frank, Lior Rochberger, Yaron Rimmer and Assaf Dahan with Cybereason, in a Thursday analysis. “This brand-new malware has real potential to become the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications.”
EventBot is not currently on the Google Play app marketplace, but researchers said the malware is nonetheless masquerading as legitimate applications. This leads them to believe that it is likely being uploaded to rogue APK stores and third-party websites under the guise of real applications, such as Adobe Flash or Microsoft Word apps.
Once installed, the malware requests various permissions on the victims’ devices (still under the pretence of being a legitimate app). These permissions allow the app to launch itself after a system reboot, run and use data in the background, read and receive text messages, access information about networks and more.
In addition, EventBot prompts the user to give it access to Android’s accessibility services, opening an array of malicious possibilities. Android notes that accessibility services are typically used to assist users with disabilities in using Android devices and apps. However, these are also often abused by malware, from banking trojans to full-fledged spyware.
Access to these permissions gives the malware the ability to operate as a keylogger and retrieve notifications about various installed applications, researchers said: “EventBot abuses Android’s accessibility feature to access valuable user information, system information and data stored in other applications,” they said. “In particular, EventBot can intercept SMS messages and bypass two-factor authentication mechanisms.”
Upon execution, EventBot also downloads a configuration file with the 200 different financial app targets. Specifically targeted are app users in the U.S. and Europe (including Italy, the UK, Spain, Switzerland, France and Germany).
Researchers noted significant updates over the few weeks while tracking EventBot.
For instance, newer versions include a new method called grabScreenPin, which leverages the accessibility feature to track PIN code changes in the device’s settings. This PIN number is sent to the command-and-control (C2) server, presumably to give the malware the ability to perform privileged actions on infected devices related to payments and system configuration options, researchers said. Also, in newer versions, the malware has obfuscated the previously unhidden loader.
Researchers were unable to identify any conversations about EventBot on underground forums, where new malware is often introduced, promoted and sold – further strengthening their suspicion that the malware is still undergoing development and has not been officially released. However, they warned that EventBot continues to receive upgrades weekly, as seen in its botnetID strings, which shows consecutive numbering across versions.
“With each new version, the malware adds new features like dynamic library loading, encryption and adjustments to different locales and manufacturers,” said researchers. “EventBot appears to be a completely new malware in the early stages of development, giving us an interesting view into how attackers create and test their malware.”
Want to get the best solution for your business?
At Tristar Tech Solutions, we take a realistic approach to technology – ensuring our client’s systems are best protected.
If you have any concerns, questions or simply want to explore how to better secure your business, please do get in touch with the team for a FREE demonstration, consultation to explore how exposed your business might be and identify actions to take.
To book a consultation or to arrange a further discussion, please get in touch.
News Source: https://threatpost.com/