Security researchers have warned that newly created mobile banking malware can not only grab passwords for more than 200 financial apps, but intercept two-factor authentication codes as well.
The Cybereason Nocturnus research team has been investigating the EventBot Android malware since it emerged last month, and today published a report into its findings. Assaf Dahan, senior director for threat research at Cybereason, told SC Media UK that the EventBot code "seems to have been written from scratch, and it doesn't look like it's based on previous Android malware." It's also subject to what the researchers refer to as "constant iterative improvement," and has the potential to cause a whole heap of financial damage.
Targeting in excess of 200 financial applications, from banks to cryptocurrency wallets and with money transfer services thrown in for good measure, EventBot combines a banking Trojan with an infostealer. The likes of Barclays, Coinbase, HSBC UK, PayPal, Revolut, Santander UK and TransferWise are among the apps being targeted by EventBot across Europe, with the UK amongst the countries in particular focus.
Posing as legitimate applications such as a Flash update, installed from unauthorised or compromised sources, EventBot relies upon the unsuspecting user granting it a bunch of permissions from reading external storage and SMS to creating system alert windows that can be shown on top of other apps.
Most critically, it also prompts the user for access to accessibility services. This provides the malware with the capability to operate as a keylogger and intercept notifications from other apps as well the content of open windows. Ringing alarm bells yet? It should be, as the most recent iterations of this rapidly evolving malware will also ask for permission to run in the background before then deleting itself from the system launcher.
Because EventBot can intercept SMS text messages, sadly still used by too many financial services for two-factor authentication purposes, as well as passwords thanks to the accessibility features that make application data grabbing a cinch, accounts can be readily compromised.
And don't think that EventBot is just something for consumers to worry about, there are implications for the enterprise as well. "In the age of 'Bring-Your-Own-Device', malware authors are finding novel ways to target enterprises through their employees' reliance on mobile devices," Kristina Balaam, security intelligence engineer at Lookout told SC Media UK. Using operating system vulnerabilities or, as in the case of EventBot, legitimate accessibility service features, "the attacker is able to target a wide range of operating system versions and compromise user data without requiring privileged access," Balaam warns.
Paul Bischoff, a privacy advocate at Comparitech, says that he's hopeful "Google will roll out an update soon that patches the vulnerable accessibility settings." Bischoff also points out that because this app steals SMS messages to bypass two-factor authentication, users should switch to an authentication app where possible. "If your banking app supports Google Authenticator or Authy, for example, those are safer solutions than SMS verification," he says.
Enterprise IT teams also need to ensure that cyber-awareness programmes are being maintained, especially during this time of lockdown where additional distraction could lead to critical errors by users working from home. "User awareness is important so as to be wary of which apps are being downloaded and from where," Javvad Malik, security awareness advocate at KnowBe4 told SC Media UK, "for corporate-owned devices, approval should be sought from the IT department."
With EventBot posing as legitimate application updates, the role of phishing cannot be underestimated. "Employees should do their best to protect their devices against compromise by always installing the latest updates," Balaam concludes, "and be diligent about spotting phishing attacks that may trigger malicious downloads."