Eventbot, a new family of banking malware for Android


The initial cases have affected banks in the UK, Italy and Spain, although it is likely that banks from other European countries will soon be added to this list.

As is the norm in practically all trojan bankers for Android, Eventbot uses web injections to steal victims’ banking credentials. These are displayed to the user through the habitual overlays, which appear after the malware detects that the genuine banking application has been opened.

evenbot

Unlike the existing banking trojans for Android, Eventbot includes new methods of robbing banking credentials, and in addition to the use of webinjects, this ‘banker’ also siphons off data through the accessibility service it installs and which allows it to gather information on events that occur on the user interface.

This includes changes to text fields, key presses, etc. Thanks to these new functionalities, this trojan doesn’t need to use webinjects to steal data, rather it listens for events related to the username and password text fields of affected applications.

If you want to know in detail how this Trojan works, download the complete report.

evenbot-cover-es

Android Banker: Evenbot 

Since March, there have been signs of a new trojan in the sphere of banking malware for Android. The name given to this new family is ‘Eventbot’. This is mainly due to the fact that the word ‘event’ is used in the malicious app package identifier, probably because of its novel functionality of using accessibility events to steal credentials.

Most banking trojans use accessibility events to detect when an application is opened, before showing a webinject with a phishing form that siphons off the victim’s credentials.

 

DID YOU LIKE IT? SHARE IN YOUR SOCIAL COMMUNITIES.

 
We recommend you to read...

What did you think about this topic?

Leave your comments

 

Need to reduce fraud in your online banking?

Discover our holistic vision applied to online detection

Request demo