A New Android Banking Trojan Named “EventBot” Has Emerged

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

There’s a new banking trojan that is roaming the Android space, called “EventBot.” The discovery and report come from the Cybereason Nocturnus team, and they define the date of the new malware’s first appearance to be around March 2020. EventBot is a powerful banking trojan and info-stealer that can access SMS messages to bypass two-factor authentication, steal financial data from over two hundred institutions, and also steal crypto-coins from wallets. EventBot is still under heavy and rapid development, which signifies the potential for this malware to become the next big threat in the Android ecosystem.

EventBot-permission_requests

All EventBot permission requests, Source: Cybereason

“EventBot” spreads through APKs that are found in unofficial Android app stores, torrents, and other obscure sources, so it’s not on the Google Play Store yet. The malware is using fake icons to masquerade real applications such as MS Word, Adobe Flash, and so on. Once installed, it requests the user to grant access to the “accessibility services,” which is precisely where Pandora’s Box opens. This enables EventBot to operate as a keylogger, retrieve notifications, access content on active windows, and more. More recent versions are also asking for permission to run in the background and then delete the launcher’s icon.

Here are all of EventBot’s functions right now:

EventBot-parsing_SMS

SMS parsing, Source: Cybereason

Although EventBot is not massively deployed yet, it already covers apps such as Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, Paysafecard. As for what e-banking apps this malware targets, it’s a set of institutions from Italy, the UK, Spain, Switzerland, France, and Germany.

EventBot-targets

All apps targeted by EventBot, Source: Cybereason

Cybereason can speculate on the identity of the threat actors behind EventBot, but nothing can be declared with certainty right now. By analyzing the infrastructure, the researchers found a connection with Italian actors who launched several attacks in Italy last year using an Android info-stealer. With new versions of EventBot being released every couple of days, we expect this malware to become a severe problem when its authors decide to market it.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: