Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Researchers Find Baby Banking Trojan, Watch It Grow

EventBot is an Android information stealer on its way to becoming a very capable piece of malware.

Asaf Dahan, senior director at Cybereason, is trying to explain what happened.

"My team and I were monitoring the threat landscape across different regions, industries, and technologies. We were chasing a lead on different malware and went down a rabbit hole. And when you go down a rabbit hole, you can become distracted," he says.

The distraction at the bottom of the rabbit hole turned out to be EventBot, a banking Trojan being built in real time as the team watched.

Dahan is in charge of the Cybereason Nocturnus research team. What he and his team found in March was a new type of Android malware that targets users of more than 200 different financial applications and is getting better on an almost-daily basis.

"It was very interesting because it looked like it was still under development — version zero-dot-something. We saw a banking Trojan in the making," Dahan says.

In a blog post about its research, the Nocturnus team says EventBot abuses Android's accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication. The team has watched as the developer (or developers) of EventBot has improved it step by step across a couple of months, Dahan says.

"We saw that whoever is behind it was uploading and trying to test detection, and every few days we got new samples from VirusTotal and other sources. Every few days the threat actor would update the code with new features, new obfuscation, and new tools," he explains.

While EventBot is becoming more capable, it has not yet been fully operationalized, Dahan says. It has not yet appeared on Google Play or another legitimate Android app store; Dahan hopes that by identifying the malware now, it will be prevented from taking hold on a major app store.

Indeed, prevention will be critical, Dahan says, because without it he sees the potential for EventBot to become a major banking Trojan and info stealer, on a par with the Raccoon stealer that was a major piece of Android malware in 2019. The Nocturnus team has already found a number of legitimate application icons associated with EventBot — icons that the malware could use to hide its true identity from victims.

While the researchers have watched EventBot grow, there's still a great deal they don't know about the malware — such as the identity of the developer.

"We haven't seen significant code overlap with previous actors, so it's likely to have been written from scratch," Dahan says. "It could be a new threat actor or someone existing who decided to try new malware. I don't think they're super-experienced, but they're not novice — they're somewhere in between."

There's also not enough information to know precisely how EventBot will be used in attacks, whether by the developer as proprietary code or in a malware-as-a-service leasing scheme.

"This could be both — it depends on the size of the operation and the connections the threat actor has," Dahan says. "The criminal cyber ecosystem is vast and complicated, and reputation and trust are your strongest currencies."

Dahan says his team will be watching EventBot as it continues to develop, but he does have advice on protection for potential victims.

"This is an Android threat, not iOS. We haven't seen the malware on Google Play, so it's most likely in the first stages to be available in the rogue stores or dubious sites offering free cracked apps," Dahan says, pointing out that these dubious sites are the sources of a large percentage of the malware found on Android devices. Individuals should not get their apps from any site not created and maintained by a legitimate business, he advises.

"[Next], in order for this to work it requires the user to authorize or give permission for the accessibility features," Dahan says. Users should apply critical thinking to any app requests for access to microphones, cameras, cloud accounts, or other data sources.

"If the app is requesting permission it doesn't really need, don't click 'yes,'" he says. "Even legitimate apps that harvest a lot of data and turn us into the product should be watched. Be very mindful of the permissions the app is asking you for."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Election Security in the Age of Social Distancing."

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...