The research team Cybereason Nocturnus said that EventBot appeared in March and combines one Trojan and software information theft (information stealer). Android mobile malware can steal finances data users while at the same time can spy the victims.
EventBot aims above 200 mobile economical and cryptocurrency applications, including those offered by PayPal, Barclays, CapitalOne UK, Coinbase, TransferWise and Revolut. Targeted financial and banking services are mainly located in Europe And the USA.
Permits required include: access accessibility features, packet installation checks, external storage reading, background execution, etc.
If a victim accepts, Android mobile malware can “work as keylogger and may retrieve notifications about other installations applications and content, ”say the researchers.
At present, the majority of targeted institutions are located in Italy, the United Kingdom, Germany and France.
It is also downloaded command-and-control (C2) URLs. The information sent between EventBot and C2s are encrypted via Base64, RC4 and Curve25519.
"All the latest versions of EventBot contain one ChaCha20 library that can improve performance compared to other algorithms such as RC4 and AES", however, it is not used at the moment", the group notes. "This means that the creators are working on optimizing EventBot."
Malicious software collects data systemic from the device and steals SMS messages (which is very useful for bypassing two-factor authentication), while at the same time being able to performs web injections, steals Samsung screen PINs, spy on and steal data not only from the user's device but also from applications, due to abuse of accessibility.
Cybereason believes that EventBot could be one of the most dangerous Android mobile malware in the future, as "is constantly improving, abusing a critical operating system and targeting financial applications".
Malware is under development, so it's not easy to connect with others software. However, the EventBot and C2 infrastructure revealed a possible connection to an Android information stealer that had previously been detected in attacks in Italy.
Cybereason says Android mobile malware, EventBot, shows that mobile attacks become more common, and the problem may worsen now that most people use apps to do their jobs since they are locked in home because of them Mesures COVID-19.