Android trojan EventBot abuses accessibility services to clear out bank accounts – fortunately, it’s ‘in preview’

May 1, 2020 TH Author

Researchers have analysed a new strain of Android malware that does not yet exist in the wild.

Cybereason boffins did this by observing submissions to virus detection site VirusTotal not from the general public, but from one source presumed to be miscreants testing whether the nasty would be spotted.

Its creators call the malware EventBot, though if it is released it could be disguised within other apps that claim to be games or utilities, or marketed as a component to other criminals. In the Cybereason report, the researchers describe how they tracked a succession of submissions, seeing “features” added as the coders improve EventBot’s capabilities.

EventBot asks the user for permission to use accessibility services, a powerful feature since these services require extensive permissions in order to work, including acting as a keylogger, for example, and running in the background.

EventBot also requires Android permissions including reading internal storage, reading and sending SMS messages, launching automatically after system boot, showing windows on top of other apps, and requesting to install additional packages. Some of these permissions prompt the user, even stating that the app needs to “observe text you type – includes personal data such as credit card numbers and passwords.”

Wouldn’t most users refuse such permissions? Assaf Dahan, who leads the research team, told The Reg: “Most users that are not tech-savvy will not question why the app needs this or that permission, they will just give it so they can let the app run. Most people don’t even bother reading it, there’s a lot of trust. The human link is the weakest link in cyber security.”

Once installed, the app downloads a configuration file with currently around 200 financial targets, including PayPal, Coinbase, Barclays, HSBC, Santander, Starling, Lloyds, Mondo, Revolut, TSB, Tesco and Bank of Scotland – a full list is in the report. When active, it can perform webinjects, intercepting data sent to target sites. Along with the ability to read SMS messages, it may be able to defeat some types of two-factor authentication. It can grab screen PINs, “most likely to give the malware the option to perform privileged activities on the infected device related to payments, system configuration options,” the report explained.

The most recent versions of EventBot use obfuscation to disguise class names in the code.

Cybereason said that one-third of all malware now targets mobile endpoints, and that 60 per cent of devices accessing enterprise data are mobile. In mitigation, though, both Android and iOS are designed with stricter permissions than desktop PCs, and protected by the fact that most applications are installed via a curated store. Would EventBot have any chance of getting past Google’s malware checks?

“I’d like to say that would never happen but the facts prove us wrong,” said Dahan. “It doesn’t happen often, but malware is found in the Play store. It’s not unheard of.”

Evidence of this was confirmed recently by Kaspersky researchers, who said of a malware campaign dubbed “PhantomLance”: “We found dozens of related samples that had been appearing in the wild since 2016 and had been deployed in various application marketplaces including Google Play. One of the latest samples was published on the official Android market on November 6, 2019. We informed Google of the malware, and it was removed from the market shortly after.”

According to Kaspersky: “We spotted a certain tactic often used by the threat actors for distributing their malware. The initial versions of applications uploaded to app marketplaces did not contain any malicious payloads or code for dropping a payload. These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads.”

Concerning EventBot, you would expect that the authors will read the Cybereason report and make changes to avoid identification. “That’s part of this eternal cat-and-mouse game,” said Dahan. “Malware is polymorphic, it mutates all the time to evade antivirus and other security products.”

Despite the existence of EventBot and other mobile malware, is it not true that mobile devices are still more secure than desktop PCs, which are more open and allow users more freedom in installing apps from anywhere? “The attack surface is broader with desktop,” Dahan told us, “but the world is shifting fast towards mobile. Banking trojans were really big on desktop, today they have to have a mobile component. Today most banks have two-factor authentication with a code either generated or sent to the mobile phone. Threat actors have to adapt and switch to mobile.”

The solution is for users to resist giving excessive permissions to apps they install, and for Google to up its game when it comes to detecting malicious submissions – though we emphasise that EventBot itself has not yet been spotted anywhere other than on VirusTotal. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration