Eventbot, a new family of banking malware for Android

The initial cases have affected banks in the UK, Italy and Spain, although it is likely that banks from other European countries will soon be added to this list.

As is the norm in practically all trojan bankers for Android, Eventbot uses web injections to steal victims’ banking credentials. These are displayed to the user through the habitual overlays, which appear after the malware detects that the genuine banking application has been opened.


Unlike the existing banking trojans for Android, Eventbot includes new methods of robbing banking credentials, and in addition to the use of webinjects, this ‘banker’ also siphons off data through the accessibility service it installs and which allows it to gather information on events that occur on the user interface.

This includes changes to text fields, key presses, etc. Thanks to these new functionalities, this trojan doesn’t need to use webinjects to steal data, rather it listens for events related to the username and password text fields of affected applications.

If you want to know in detail how this Trojan works, download the complete report.


Android Banker: Evenbot 

Since March, there have been signs of a new trojan in the sphere of banking malware for Android. The name given to this new family is ‘Eventbot’. This is mainly due to the fact that the word ‘event’ is used in the malicious app package identifier, probably because of its novel functionality of using accessibility events to steal credentials.

Most banking trojans use accessibility events to detect when an application is opened, before showing a webinject with a phishing form that siphons off the victim’s credentials.


Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video