EventBot Android malware invades banking apps and bypasses 2FA

EventBot Android malware breaks banking apps, cryptocurrency wallets, and copies 2FA codes

Last updated:

New Android malware puts all Android users at risk as it invades devices without the user noticing it. What’s worse is that the said threat has the capability to access confidential applications and even bypass the two-factor authentication.

A team of researchers from security firm Cybereason, warns all Android users to be more vigilant of the malware in disguise. EventBot is the newest member of the malware family, yet its ability to access and break in a user’s device is that of a pro.

How EventBot operates

EvenBot disguises itself as a legitimate Android app. It comes mimicking the form of Microsoft Word or Adobe Flash for Android.

The unsuspecting victim downloads and installs the app. EventBot then takes advantage of the Android device’s accessibility features.

EventBot abuses Android’s accessibility feature to access valuable user information, system information, and data stored in other applications. In particular, EventBot can intercept SMS messages and bypass two-factor authentication mechanisms.

EventBot targets users of over 200 different financial applications, including banking, money transfer services, and crypto-currency wallets, including PayPal, Coinbase, Barclays, HSBC, Santander, Starling, Lloyds, Mondo, Revolut, TSB, Tesco and Bank of Scotland – and many more.

In the Cybereason report, the researchers describe how they tracked a succession of submissions, seeing “features” added as the coders improve EventBot’s capabilities.

EventBot asks the user for permission to use accessibility services, a powerful feature since these services require extensive permissions in order to work, including acting as a keylogger, for example, and running in the background.

EventBot also requires Android permissions including reading internal storage, reading and sending SMS messages, launching automatically after system boot, showing windows on top of other apps, and requesting to install additional packages.

Some of these permissions prompt the user, even stating that the app needs to “observe text you type – includes personal data such as credit card numbers and passwords.”

Cybereason said that one-third of all malware now targets mobile endpoints, and that 60 per cent of devices accessing enterprise data are mobile. In mitigation, though, both Android and iOS are designed with stricter permissions than desktop PCs, and protected by the fact that most applications are installed via a curated store.