Researchers at Cybereason have been investigating a brand new piece of malware, dubbed EventBot, which tricks you into granting it accessibility permissions in Android so it can read your text messages, steal those one-time passcodes and bypass your bank’s two-factor authentication.
It isn't the first Android malware to do this: SlemBunk worked in a similar way back in 2016.
The team at Cybereason found that EventBot targets money transfer services and cypto-currency wallets as well as the banking apps you’re probably familiar with. The list includes:
- Santander UK
- HSBC UK
- CapitalOne UK
- TSB Business
- PayPal Business
These are all the apps that EventBot is known to target:
EventBot hasn’t been officially released yet, so it’s unusual to have a heads-up this early on a new threat. The team at Cybereason have been tracking updates since they first encountered the malware in March 2020, and it’s becoming more sophisticated every day.
How does EventBot work?
It masquerades as a legitimate app which you might download on your phone. So far, these are the icons it uses, one being Microsoft Word.
When you install the app and launch it, it will ask you to grant it permissions such as accessibility and always running in the background so you “get the full functionality” and this is how it gets access to read your text messages and work as a keylogger to steal your passwords and other information.
Obviously this is extremely dangerous as it could have serious consequences, such as emptying your bank account, stealing logins for other services, capturing personal and business information and more.
How to protect your Android Phone from malware
So far EventBot has not been found on the Google Play Store and hasn’t been involved in any major attacks but the usual security advice prevails: only install apps from reputable sources (such as the Play Store) and run good antivirus software on your phone.
Also, if an app asks for permissions, don’t just accept them without even reading them. Carefully consider whether the app should have the access that it’s asking for. Often you can deny certain permissions while allowing others, but if in doubt deny them all and consider deleting the app and finding an alternative, or an alternative source to install it from.
The Cybereason Nocturnus team say it’s likely that when the malware is released it will be uploaded to rogue APK stores and websites, pretending to be real apps.
If you do install APKs manually from these types of places then make sure you check the APK signature and hash on sites such as VirusTotal to find out if they’re genuine or not.
You should be safe if you only install apps from the Google Play store, but even then, it’s worth running a reputable antivirus app on your Android devices. Naturally, Cybereason Mobile detects and blocks EventBot, but that's for businesses. If you’re after a consumer app check out our recommendations of the best antivirus software.