Android software specialized in stealing bank passwords, copying keystrokes

Cybereason, a security company, discovered malware on the Android platform and named it EventBot. According to THN , EventBot has the ability to target 200 different financial applications including banking software, money transfer services, encrypted e-wallets such as Paypal Business, Revolut, Barclays, CapitalOne, HSBC, Santander, TransferWise, Coinbase.

The representative of the research team said that this malicious application is particularly interested in the above software because they are quite new and somewhat rudimentary. 'This new type of malware actually has the potential to become a more dangerous version of malware on mobile phones because it is constantly improving, abusing critical operating system features and targeting malicious applications. main ', the team at Cybereason said.

The attack campaign using EventBot was first discovered in March 2020, disguised as legitimate software (such as Adobe Flash, Microsoft Word), and appeared on fake Android app stores (which often contained APK file for installing applications on this platform) or non-transparent websites. After installation, the program will require additional permissions on the device.

Permissions required include access to Settings, the ability to read content on an external memory card, send and receive SMS messages, run in the background, and start automatically after the system is rebooted. If the user grants the required permissions, the EventBot starts to record keystrokes that the user manipulates on the screen, collecting notifications when other applications are installed and viewing content from the program. open on screen.

EventBot can also exploit Android accessibility services to collect screen lock codes and then transfer all the collected data in encrypted form to the server controlled by the attacker.

The ability to analyze SMS messages (text messages) gives this application a useful tool to bypass two-step security steps using SMS, giving hackers access to cryptocurrency wallets and theft account in the victim's bank easily.

Suspicious applications such as EventBot may not exist on the official Google Play Store, so researchers once again recommend that users install the program only for phones from official software stores. , avoid downloading and installing from other untrusted sources.

This is not the first time mobile malware has been targeted on financial services. Last month, IBM's X-Force team announced a campaign called TrickMo by hackers targeting users in Germany, using malware that takes advantage of the Accessibility feature on phones to block and read one-time passwords (OTP), mTAN and pushTAN authentication codes (banking-related services in Germany).