Warnings have been given that some new mobile banking malware can not only steal the passwords for in excess of 200 financial apps, but also to circumvent the much used two-factor authentication codes as well.
Cybereason Nocturnus research group have been looking into the EventBot Android malware since it was first identified in March, & has now published a report with its conclusions.
Assaf Dahan, Senior Director for Threat Research at Cybereason, went on record to say, ” it seems to have been written from scratch, and it doesn’t look like it’s based on previous Android malware.” In addition, the researchers have referred to a “constant iterative improvement,” & has the potential to cause very considerable financial ‘mischief.’
Targeting over 200 financial applications, from banks to cryptocurrency wallets & money transfer services too, EventBot brings together a banking Trojan with an infostealer.
Barclays, Coinbase, HSBC UK, PayPal, Revolut, Santander UK & TransferWise are among the apps being targeted by EventBot across Europe, & the UK is amongst the countries of particular interest.
It works by pretending to be legitimate applications e.g. a Flash update, installed from unauthorised or compromised sources, EventBot then hinges upon the user giving it permissions which range from reading external storage & SMS, through to creating System Alert Windows that can then be shown on top of other apps.
Importantly, it also prompts the user for access to accessibility services. This provides the malware with the capability to operate as a keylogger, & intercept notifications from other apps as well the content of open windows. The most recent versions of this rapidly evolving malware will also ask for ‘permission’ to run in the background, & then delete itself from the system launcher.
Because EventBot can intercept SMS text messages, still used by far too many financial services for two-factor authentication, as well as passwords, the accessibility features that make application data stealing easy, the accounts can then be readily compromised.
EventBot is not just a problem for consumers to be frightened of, as there are implications for the corporate world too. “In the age of ‘Bring-Your-Own-Device’, malware authors are finding new ways to target enterprises through their employees’ reliance on mobile devices,” Kristina Balaam, Security Intelligence Engineer at Lookout warned. Using detected operating system vulnerabilities or, as per EventBot, legitimate accessibility service features, “the attacker is able to target a wide range of operating system versions and compromise user data without requiring privileged access,” Balaam cautioned.
Paul Bischoff, a Privacy Advocate at Comparitech, says that he hopes “Google will roll out an update soon that patches the vulnerable accessibility settings.” Bischoff also pointed out that because this app steals SMS messages to bypass two-factor authentication, users should switch to an authentication app where possible. “If your banking app supports Google Authenticater or Authy, for example, those are safer solutions than SMS verification,” he strongly advises.
Enterprise IT teams must be sure that Cyber-Awareness Programmes are being maintained, which is especially true during this time of lock-down where the many additional distractions could lead to extremely critical errors by users who are now working from home. “User awareness is important, so be wary of which apps are being downloaded and from where,” Javvad Malik, Security Awareness Advocate at KnowBe4 explained too that, “for corporate-owned devices, approval should be sought from the IT Department.”
With EventBot posing as legitimate application ‘updates’, the factor of phishing is important.
“Employees should do their best to protect their devices against compromise by always installing the latest updates,” Balaam suggests, “and be diligent too about spotting phishing attacks that may trigger malicious downloads.”
Worrisome, but at least now exposed to the oxygen of publicity.