Researchers at cyber security firm Cybereason have discovered a new mobile banking Trojan that is targeting financial applications to steal credentials used by Android users to log into banks and other financial institutions.
The malware, dubbed EventBot, was first spotted by Cybereason's Nocturnus team in March this year. Since then, it has been tracked extensively by the researchers, although they are yet to uncover the hacking group behind the new malware.
According to researchers, this malware can disguise itself as a genuine app - like Microsoft Word or Adobe Flash for Android. Once installed, it starts abusing the in-built accessibility features of the devices to get deeper access into the operating system. It then steals passwords for different cryptocurrency and banking apps, including Coinbase, PayPal Business, HSBC, CapitalOne UK, Revolut. UniCredit, Barclays, TransferWise, and many more.
EventBot can also intercept the two-factor authentication (TFA) security codes sent to the device, thereby enabling hackers to steal funds from victim's bank accounts and cryptocurrency wallets.
EventBot has been written from scratch and is currently undergoing active development. So far, researchers have tracked four versions of the malware: 0.0.0.1, 0.0.0.2, 0.3.0.1, and 0.4.0.1.
Each new version was found to expand the functionality of the malware and helping it to obfuscate the malware against analysis. The researchers said they have also identified IDs named with "test" in codebase.
Assaf Dahan, head of threat research at Cybereason, described EventBot as a sophisticated piece of malware, which has the potential to become the next big mobile malware threat. Its developers have invested a good amount of time and effort to create this malware, the researchers said.
Cybereason experts predict that EventBot's developers could soon introduce it in a "rogue" third-party app store, while also trying to sneak it into the Google Play Store.
"Though EventBot is not currently on the Google Play Store, we were able to find several icons EventBot is using to masquerade as a legitimate application," the researchers said.
"We believe that, when it is officially released, it will most likely be uploaded to rogue APK stores and other shady websites, while masquerading as real applications."
US Cyber agency offers best practice for configuring Microsoft Office 365 to secure employees working from home
Malicious web shells can evade detection from most security tools, so they are difficult to detect
New version with 256-bit AES encryption (for real this time) to be rolled out next week
The reported vulnerabilities impact Zoom clients for MacOS and Windows, Zoom refutes the claim
Nemty ransomware operators close public ransomware-as-a-service operation and switch to private mode
Victims have one week to purchase decryption keys from operators