New Android Malware Targets PayPal, CapitalOne App Users

eventbot android malware

Researchers warn that the EventBot Android malware, which targets over 200 financial apps, could be the “next big mobile malware.”

An Android mobile malware has been uncovered that steals payment data from users of popular financial apps like PayPal, Barclays, CapitalOne and more.

The infostealer, called EventBot, has targeted users of more than 200 different banking, money-transfer services and general cryptocurrency wallet apps. First identified in March 2020, EventBot’s still in early development – but researchers warn that it’s rapidly evolving with new versions being released every few days.

“EventBot is particularly interesting because it is in such early stages,” said Daniel Frank, Lior Rochberger, Yaron Rimmer and Assaf Dahan with Cybereason, in a Thursday analysis. “This brand-new malware has real potential to become the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications.”

EventBot is not currently on the Google Play app marketplace, but researchers said the malware is nonetheless masquerading as legitimate applications. This leads them to believe that it is likely being uploaded to rogue APK stores and third-party websites under the guise of real applications, such as Adobe Flash or Microsoft Word apps.

Once installed, the malware requests various permissions on the victims’ devices (still under the pretense of being a legitimate app). These permissions allow the app to launch itself after system reboot, run and use data in the background, read and receive text messages, access information about networks and more.

In addition, EventBot prompts the user to give it access to Android’s accessibility services, opening an array of malicious possibilities. Android notes that accessibility services are typically used to assist users with disabilities in using Android devices and apps. However, these are also often abused by malware, from banking trojans to full-fledged spyware.

Access to these permissions gives the malware the ability to operate as a keylogger and retrieve notifications about various installed applications, researchers said: “EventBot abuses Android’s accessibility feature to access valuable user information, system information and data stored in other applications,” they said. “In particular, EventBot can intercept SMS messages and bypass two-factor authentication mechanisms.”

Upon execution, EventBot also downloads a configuration file with the 200 different financial app targets (see a full list of targeted apps in the Index of the research, here). Specifically targeted are app users in the U.S. and Europe (including Italy, the UK, Spain, Switzerland, France and Germany).

EventBot malware

List of targeted apps

Researchers noted significant updates over the few weeks while tracking EventBot.

For instance, newer versions include a new method called grabScreenPin, which leverages the accessibility feature to track PIN code changes in the device’s settings. This PIN number is sent to the command-and-control (C2) server, presumably to give the malware the ability to perform privileged actions on infected devices related to payments and system configuration options, researchers said. Also, in newer versions, the malware has obfuscated the previously unhidden loader.

Researchers were unable to identify any conversations about EventBot on underground forums, where new malware is often introduced, promoted and sold – further strengthening their suspicion that the malware is still undergoing development and has not been officially released. However, they warned that EventBot continues to receive upgrades weekly, as seen in its botnetID strings, which shows consecutive numbering across versions.

“With each new version, the malware adds new features like dynamic library loading, encryption and adjustments to different locales and manufacturers,” said researchers. “EventBot appears to be a completely new malware in the early stages of development, giving us an interesting view into how attackers create and test their malware.”

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles