Researchers are reported to be analysing EventBot, a new strain of Android malware that does not yet exist in the wild.
Cybereason researchers did this by observing submissions to virus detection site VirusTotal not from the general public, but from one source presumed to be cyber thieves testing whether the trojan would be spotted.
Its creators call the malware EventBot, though if it is released it could be disguised within other apps that claim to be games or utilities, or marketed as a component to other criminals. In the Cybereason report, the researchers describe how they tracked a succession of submissions, seeing “features” added as the coders improve EventBot’s capabilities.
EventBot asks the user for permission to use accessibility services, a powerful feature since these services require extensive permissions in order to work, including acting as a keylogger, for example, and running in the background.
EventBot also requires Android permissions including reading internal storage, reading and sending SMS messages, launching automatically after system boot, showing windows on top of other apps, and requesting to install additional packages. Some of these permissions prompt the user, even stating that the app needs to “observe text you type – includes personal data such as credit card numbers and passwords.”
“Most users that are not tech-savvy will not question why the app needs this or that permission, they will just give it so they can let the app run,” Assaf Dahan, Cybereason. “Most people don’t even bother reading it, there’s a lot of trust. The human link is the weakest link in cyber security.”
Once installed, the app downloads a configuration file with currently around 200 financial targets, including PayPal, Coinbase, Barclays, HSBC, Santander, Starling, Lloyds, Mondo, Revolut, TSB, Tesco and Bank of Scotland – a full list is in the report.
When active, it can perform webinjects, intercepting data sent to target sites. Along with the ability to read SMS messages, it may be able to defeat some types of two-factor authentication. It can grab screen PINs, “most likely to give the malware the option to perform privileged activities on the infected device related to payments, system configuration options,” the report explained.
The most recent versions of EventBot use obfuscation to disguise class names in the code.
Cybereason said that one-third of all malware now targets mobile endpoints, and that 60% of devices accessing enterprise data are mobile. In mitigation, though, both Android and iOS are designed with stricter permissions than desktop PCs, and protected by the fact that most applications are installed via a curated store. Would EventBot have any chance of getting past Google’s malware checks?
“I’d like to say that would never happen but the facts prove us wrong,” said Dahan. “It doesn’t happen often, but malware is found in the Play store. It’s not unheard of.”
Evidence of this was confirmed recently by Kaspersky researchers, who said of a malware campaign dubbed PhantomLance: “We found dozens of related samples that had been appearing in the wild since 2016 and had been deployed in various application marketplaces including Google Play. One of the latest samples was published on the official Android market on November 6, 2019. We informed Google of the malware, and it was removed from the market shortly after.”
According to Kaspersky: “We spotted a certain tactic often used by the threat actors for distributing their malware. The initial versions of applications uploaded to app marketplaces did not contain any malicious payloads or code for dropping a payload. These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads.”
The post New strain of trojan EventBot can clear out bank accounts appeared first on Payments Cards & Mobile.