How to detect EventBot Malware? A Quick Guide 2020

EventBot malware is a new mobile banking trojan that emerged in March, 2020 during Covid-19 pandemic. It is an Android mobile malware. EventBot attacks financial applications of your Android smartphone.

EventBot malware targets multiple financial applications including Cryptocurrency wallets, financial services and banking.

The Computer Emergency Response Team (CERT) has issued an advisory, warning people against EventBot.

According to CERT, the EventBot trojan targets over 200 different financial applications.

EventBot malware is an Information-stealer. Moreover, it abuses the functionality of Android features.

EventBot malware attacks Android mobiles by accessing users’ credential data, system information and the important information stored in mobile applications. It is worth noting that EventBot malware can intercept SMS messages and bypass two-factor authentication.

The survey alleges EventBot was created to target more than 200 banking and financial applications. It has targeted many European bank and cryptocurrency applications.

Hence, we need to be on high alert against this Trojan.

Targeted Applications

The targeted applications include Paypal, CapitalOne UK, HSBC UK, Barclays, UniCredit, Revolut, TransferWise, Paysafecard, Coinbase and many more.

Therefore, when financial applications are used on Android mobiles, clicking on the links of any unknown sender must be avoided.

According to CERT, the GooglePlay store, as of now, does not identify EventBot, thereby increasing the danger of it masquerading as a legitimate application to misleading users.

Cybereason says that the following icons are used for masquerade legitimate applications.

Threat Analysis

Several versions of this banking trojan have emerged. The notable versions are 0.0.0.1, 0.0.0.2, 0.3.0.1 and 0.4.0.1. 

Each version extended it’s threat functionality and abused the Android mobile to a great extent.

This threat requires the following permissions on installation, 

  1. WAKE-LOCK – Preventing the processor from going into sleeping mode.
  2. ACCESS_NETWOK_STATE – Permit the App to access information on networks
  3. READ_EXTERNAL_STORAGE – Permission to access External storage
  4. RECEIVE_SMS – Permission to receive SMS
  5. READ_SMS – Permission to receive SMS

So, if an application requires the above-mentioned permissions on installation, one must be cautious.

If the configuration file is checked, the financial applications targeted by Eventbot can be identified. It may include the applications of International banks. 

Most of the targeted applications are from UK and Italy.

It also targets applications from Germany, France, Romania, Spain, Ireland, Switzerland, India, Poland, Australia, USA etc.

Cryptocurrency, money exchange services, money transfers, credit card and management applications become prey to EventBot’s attack.

Functionalities of EventBot Malware

The basic functionalities of EventBot are,

  1. Device Information 

When EventBot is installed, it asks for device information like OS, Model, Vendor, GPStatus, GPVersion, botnetID, botVer, LibVer, ScreenLockType, etc.

  1. Installed Applications

The EventBot lists out all the targeted applications that have been activated.

  1. Parsing SMS

This trojan has the capacity to parse SMS messages and act immediately based on the given data.

  1. Data Encryption.

Once EventBot is installed in an Android Mobile, it will use different methods of encryptions to lock the data. The different versions of EventBot have different encryption methods.

These are the major changes that follow the installation of EventBot.

Hence, if there is any doubtful activity noticed on using an Android mobile, care must be taken while performing financial transactions.

Impact of EventBot Malware

EventBot is a mobile banking trojan that steals financial information and hijacks transactions.

Once this malware is installed, it will collect personal information like passwords, keystrokes, banking information and other sensitive data.

Thus, Evenbot can be impactful. The following security tips can be followed to prevent an attack.

Security Tips for EventBot Malware

  1. Keep your mobile device up-to date with the latest software updates from legitimate sources.
  2. Keep Google Play protected.
  3. Do not download mobile Apps from unofficial or unauthorized sources. Most legitimate Android Apps are available on the Google play store.
  4. Always apply critical thinking and consider whether you should give an app the permission it requests.
  5. When in doubt, check the APK signature and hash in sources like VirusTotal before installation on your device.
  6. Use mobile threat detection solutions for enhanced security.

These are the major security tips you need to follow to avoid this Mobile Trojan. 

Finally,

Nowadays, most of the online activities can be done through mobile devices. This has resulted in the introduction of mobile trojans, especially in Android mobile devices. As there is an increase in the usage of online shopping apps on mobile devices, the attackers are working to create mobile malware. EventBot malware is one among them. This is one of the methods of generating profit for cybercriminals.

Here’s a few links of favorite resources on this topic..

  1. https://smartsecuritytips.com/smishing-and-vishing-quick-guide-to-be-alert/
  2. https://smartsecuritytips.com/twelve-indications-you-have-been-hacked/
  3. https://smartsecuritytips.com/guide-on-ransomware-attack-in-cyber-security/
  4. https://smartsecuritytips.com/magecart-attack-on-woocommerce/