Security researchers at Cybereason have warned that a newly-created mobile banking Trojan, which has been named EventBot, can not only grab passwords, but also intercept two-factor authentication codes as well.

The Cybereason Nocturnus research team has been investigating the EventBot Android malware since it emerged in March 2020, and have now published a report into its findings.

Assaf Dahan, senior director for threat research at Cybereason said the EventBot code “seems to have been written from scratch, and it doesn’t look like it’s based on previous Android malware”. It’s also subject to what the researchers refer to as “constant iterative improvement”, and has the potential to cause huge financial damage.

Initially, EventBot is targeting 200+ financial applications from banks to cryptocurrency wallets and money transfer services from the likes of Barclays, Coinbase, HSBC UK, PayPal, Revolut, Santander UK and TransferWise. However, this type of attack is problematic for telecoms firms who not only offer financial services, but are part of the security value-chain and are also major billers – meaning that customers could be compromised while paying their phone bill and inadvertently open another back door.

The malware poses as a legitimate application such as a Flash update, installed from unauthorised or compromised sources, and relies upon the unsuspecting user to grant it permission to read external storage and SMS to create system alert windows that can be shown on top of other apps.

Because EventBot combines a banking Trojan with an infostealer, it means it can intercept text messages, used by many firms for two-factor authentication purposes, as well as passwords, allowing accounts to be easily compromised.

But EventBot isn’t just targeting consumers. There are serious implications for enterprises as well. Once it compromises a consumer account, this can be used to gain access to enterprise networks. Javvad Malik, security awareness advocate at KnowBe4, highlighted that Enterprise IT teams need to ensure that cyber-awareness programmes are being maintained, particularly during lockdown when additional distractions could lead to critical errors by users working from home.

Omnisperience believes the repetitive occurrence of mobile application attacks combined with the emergence of unique malware aimed at phishing, SIM swap and data thefts means organisations urgently need to look again at the protection levels they provide when accessing systems? We call this User Isolation Protection (UIP) and advocate that organisations should be focusing on the latest access and authentication offerings as a matter of priority – moving from their reliance on easily compromised SMS-based one-time-authentication or passwords to wider multi-factor authorisation. (see Omnisperience Green Paper User Isolation Protection)

Posted by Kevin Bailey

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s