New banking threat to Android Phones – Why “Free” might cost you

The Cybereason Nocturnus team is has uncovered a new type of Android mobile malware that emerged around March 2020. EventBot is a mobile banking trojan that uses Android’s accessibility feature to steal user data from financial applications and steal SMS messages to allow the malware to bypass two-factor authentication.

The malware targets users of over 200 different financial applications, including banking, money transfer services, and cryptocurrency wallets. Those targeted include applications like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard and more.

By disguising itself as a legitimate, free app, primarily on App stores. Currently, it’s been seen as items like Adobe Flash and Microsoft Word, but this malware is being actively developed and could pose as any legitimate application on these stores. Many of these App stores exist as alternatives to the Google Play Store, but they are risky to use because some of the “free” apps are normally chargeable elsewhere and are either pirated (“cracked”) versions of legitimate software – often containing malware as well, or are simply malware in their own right.

No copies of the malware have yet been detected on the Google Play store, but given that Google Play has hosted malware before (usually only for a very short time before being taken down), risks exist anywhere. There are ways to protect yourself, which I’ll outline in a moment.

When Eventbot installs, it asks for certain “permissions” to access features on your device. The initial one is access to the Accessibility feature. This is the most risk of all, even though it sounds the most innocent. Accessibility is designed to assist those with hearing, sight or other challenges to use apps that would otherwise be a problem. This includes reading screen contents out-loud or entering information into the device’s keyboard when commands are spoken. As you can tell from these examples, a malware app that has control of these features can do almost anything, especially when it’s running in the background as the Eventbot malware does.

Once Eventbot has control of the accessibility features, it’s able to record things like keypresses (such as passwords or PINs) and screen contents. All these are then sent back to the authors command-and-control network where copies are saved and further action initiated. Because Eventbot also has access to text messages, it can read incoming two-factor authentication (2FA) SMS messages from a financial institution and then abuse these, for example by logging in to your online banking app in the background and initiating money transfer.

Even when not stealing your money or hoovering-up personal data, Eventbot (and similar malware) pose a huge risk to business data and corporate networks. Because once installed on a device they are capable of doing almost anything including defeating 2FA, they can bypass many of the security systems you may have put in place to protect your corporate network. Once the malware has done its job, your businesses data is at risk and you are at risk of further attacks, such as ransomware. If that wasn’t enough, you then would also run the risk of incredible reputational damage. Security firm RSA predicts that over 60% of business systems are now accessed from mobile devices, so as a business you need to be aware that the threat is very real.

So what can you do to help mitigate against threats like Eventbot? Here are some key tips:

  • Ensure your Android phone is kept up to date with software updates from legitimate locations, such as the phones manufacturer. If your version of Android is no longer receiving updates due to its age, you must stop using it.
  • Turn on Google Play Protect.
  • Don’t install mobile apps from unofficial or unauthorised sources. Nearly all legitimate Android apps are available from the Google Play Store.
  • Think carefully when an app asks for permissions to access the features of your phone. For example, a chat app might ask to read your contacts so it can display contact-names when you’re chatting, but the access the app requests should be proportionate and realistic. Given the risk of the Accessibility feature, I’d try and limit that to only inbuilt phone apps if at all possible.
  • When in doubt, check the APK (Android Package, or the file that installs the app) signature with sources like VirusTotal before installing it on your device.
  • If possible, use mobile phone security (“antivirus”/”antimalware”) as a belt-and-braces fallback from human error.

If you are a business owner or CIO who’s staff use their mobiles to connect to any of your systems, even just email, then please consider what you need to do to protect your staff and your business. And if you would like some more advice on anything tech-related including cybersecurity, feel free to contact us or email me: [email protected]