Security researchers at Cybereason are warning of a new mobile banking trojan that steals details from financial apps and intercepts SMS messages to bypass two-factor authentication mechanisms.

According to experts who have examined the code of the malware, known as EventBot, it differs substantially from previously known Android malware – suggesting that it might be written by a new group of cybercriminals.

Any malware that can harvest banking passwords and financial data, and waltz past protection mechanisms like 2FA, to break into accounts is obviously a concern, but what makes EventBot more troubling is the broad range of targets in its sights.

EventBot targets a list of over 200 different banking and finance apps, most of which are designed for banks and cryptocurrency wallet services.

Amongst the apps targeted are PayPal Business, Revolut, Barclays, UniCredit, CapitalOne, HSBC, Santander, TransferWise, and Coinbase. Cybereason’s researchers have published a full list (PDF) if you wish to check if your particular app might be at risk.

What is also troubling is that EventBot was first seen in March 2020, and yet despite its infancy has demonstrated a high level of sophistication, with its unknown developers actively pushing out new versions every few days.

“With each new version, the malware adds new features like dynamic library loading, encryption, and adjustments to different locales and manufacturers.”

One piece of good news is that so far the malware does not appear to have been able to inveigle its way into the official Google Play store, meaning that it is likely to have only been distributed via third-party marketplaces.

Android users need to change their settings to allow apps to be installed from unknown sources, but history has shown that with the right social engineering techniques criminals have been able to trick users into doing just that.

(Read more...)