<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=116645602292181&amp;ev=PageView&amp;noscript=1">

Threat Alert:

EventBot

threat-alert-badge-orange

Threat Overview

cr-icon-threat-type
Threat Type
Mobile Banking Trojan
Target Industries
Target Industries
Financial
cr-icon-attack-goal
Attack Goal
User Data
cr-icon-impacted-geo
Impacted GEO
Europe & USA

What's Happening?

The Cybereason Nocturnus team is investigating EventBot, a new type of Android mobile malware that emerged around March 2020. EventBot is a mobile banking trojan and infostealer that abuses Android’s accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication.

This research gives a rare look into the process improvements malware authors make when optimizing before launch. By going on the offensive and hunting the attackers, our team was able to unearth the early stages of what may be a very dangerous mobile malware.

Read The Full Research

KEY OBSERVATIONS & TTPS


  • Targeting financial applications: EventBot targets users of over 200 different financial applications, including banking, money transfer services, and crypto-currency wallets. Those targeted include applications like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more.
  • Geo targeted: It specifically targets financial banking applications across the United States and Europe, including Italy, the UK, Spain, Switzerland, France, and Germany.
  • Triple Threat: EventBot is particularly interesting because it is in such early stages. This brand new malware has real potential to become the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications.

Remediation Steps

cr-icon-remediate-disable

Do not download mobile apps from unofficial or unauthorized sources. Most legitimate Android apps are available on the Google Play Store.

cr-icon-block-executable

Always apply critical thinking and consider whether you should give a certain app the permissions it requests.

Asset 3

When in doubt, check the APK signature and hash in sources like VirusTotal before installing it on your device.

antivirus-01
Prevented & Detected by the Cybereason Defense Platform

CYBEREASON CUSTOMERS

We highly recommend every customer enable the following features:

  • For customers with Cybereason Mobile, this attack will be detected on any mobile device.
  • For Cybereason MDR customers, the Cybereason team will monitor and triage as well as assist in the mitigation of potential infections.

Download This Threat Alert

SUFFERED A BREACH?
TALK TO A SPECIALIST