Eventbot is the most recent banking trojan for Android and one we looked at recently in a detailed report explaining its operation and the new features it deploys compared to other bankers for Android.
This time, we’re going to run through several novel features that have been detected in recent samples. It seems that its developers, together with the developers of Cerberus, have been some of the most active over the past few months.
In the case of Evenbot, the new features aren’t related to the list of banks or applications affected, as there have been no changes in this area.
Rather they’re to do with the technical features, specifically obfuscation, as the attackers seem to be currently focusing on making this malware as difficult as possible to analyse.
The most salient new feature is the string obfuscation, which varies between the two stages (the dropper stage and the payload that executes the malware).
The string obfuscation in the second stage is somewhat more complicated than in the first and uses the names of the functions that call the decryption function as the decryption key, something that’s rarely seen in this type of malware.
As well as the string obfuscation, another notable novelty is the improvement to the C2 server, which now makes it more difficult to spot the web injections if too few requests are sent to the server, making it impossible to view the content unless an infected device is used for a minimum amount of time.
Before going into detail on the new features, let’s give a quick recap on the functionalities included in this banking trojan and how it tries to steal victim’s banking credentials. We go into more depth on this in our Evenbot report.
The method used by this trojan to steal credentials is the same old method used by other bankers for Android. It uses an accessibility service, requesting permissions from the user, allowing the malicious application to receive all the events generated by the user in real time.
These events include the user’s interaction with the interface, such as presses on different parts of the screen (buttons, text fields, etc.), or changes in text fields while the user is writing.
Generally speaking, banking trojans use the events received by the accessibility service to detect when applications are opened by the user. This allows the malware to quickly open up a WebView which overlays the legitimate banking application.
A phishing website is then loaded onto the view with the bank’s login form, making the user believe they’re entering their credentials into the legitimate web form.
This is the normal method used by banking malware for Android, but Eventbot includes a new one: it siphons off credentials by eavesdropping on value-change events in text fields.
This means that while the user is entering their credentials into the legit form, the malware can grab the change events and obtain the credentials.
The new samples found in June don’t show any changes in terms of the list of financial applications affected.
However, Eventbot’s developers seem to be throwing all their efforts into making it as hard as possible to analyse and detect their new versions, introducing two key new features to achieve this.
The first and foremost of these is the inclusion of string obfuscation. In previous versions, all the text strings were unencrypted, and even the URL of the trojan’s C2 server for sending and receiving data was visible. These strings are now encrypted however, with different types of encryption depending on the phase.
The code of the initial APK, which serves as a dropper to unpack the malicious payload and execute it, uses a decryption function based on XOR operations which, as we can see, uses the ‘?’ character and the string length.
String encryption in the first stage
But the most interesting part of the string obfuscation comes in the second stage, once the payload (a DEX file that implements the malware’s core functionality) has been unpacked and is executed.
If we analyse the DEX file, we can see that it uses a very similar encryption strategy but that the decryption codes are the class name and the method that calls the decryption function.
String decryption function in the second stage
As can be seen in the image, the malware uses Java’s ‘StackTraceElement’ to get a trace of the call stack and obtain the name of the class and the function that has called the encryption function. It then uses this information to decode the string using XOR operations. This is the first time we’ve seen a banking malware for Android that encrypts the strings in this way.
Another of the new features is in the C2 server, which seems to have been improved so that the webinjects can’t be seen without prior registration of a valid device and sufficient interaction.
This makes it more difficult for the domain registrant or the hosting to detect the fraudulent use of their services and suspend the activity.
Eventbot is one of the most recent bankers for Android and one of the most active in terms of development. The attackers appear to be slowly adding in adding new features, with the latest ones detected mainly related to hampering the detection and analysis of new samples.
It will be a good idea to keep this family of malware on the radar to spot possible new versions with new features, both as regards technical aspects and functionality, and to keep tabs on any new financial applications susceptible to attack.