The initial cases have affected banks in the UK, Italy and Spain, although it is likely that banks from other European countries will soon be added to this list.
As is the norm in practically all trojan bankers for Android, Eventbot uses web injections to steal victims’ banking credentials. These are displayed to the user through the habitual overlays, which appear after the malware detects that the genuine banking application has been opened.
Unlike the existing banking trojans for Android, Eventbot includes new methods of robbing banking credentials, and in addition to the use of webinjects, this ‘banker’ also siphons off data through the accessibility service it installs and which allows it to gather information on events that occur on the user interface.
This includes changes to text fields, key presses, etc. Thanks to these new functionalities, this trojan doesn’t need to use webinjects to steal data, rather it listens for events related to the username and password text fields of affected applications.
If you want to know in detail how this Trojan works, download the complete report.