EventBot – dangerous financial malware designed for Android devices
EventBot is financial Trojan that spreads via insecure third-party websites
EventBot is a malicious application that can run on Android-based devices and targets users in the US and Europe. It was first spotted in March 2020, and security researchers from Cybereason Nocturnus were analyzing the malware closely for several weeks before releasing their findings. As it turns out, EventBot is a Trojan that abuses accessibility feature within Android OS in order to steal banking and other information from over 200 different financial apps. Malware is also capable of bypassing two-factor authentication, reading data from crypto-wallets, as well as stealing SMS message contents.
Since EventBot virus is operating in the background, users who are not protecting their devices with security solutions might never know that they are infected in the first place. In the meantime, the malicious app can gather sensitive data and deliver it to cybercriminals. Victims can suffer significant monetary losses, have their credit score corrupted, loans are taken out in their names, and suffer from identity theft. While EventBot is still under active development, it is malware that Android users should be very scared of.
|Type||Android virus, Financial Trojan|
|Release date||March 2020|
|Distribution||Like many other malicious apps designed for mobile devices, EventBot is installed via fake applications downloaded from third-party sites (such as P2P)|
|Primary function||Harvest sensitive financial data and device information and send it to a remote server for the attackers to abuse|
|Versions||Version 0.0.0.1, Version 0.0.0.2, Version 0.3.0.1, Version 0.4.0.1|
|Elimination||To eliminate malware from Android device a full scan with reputable anti-malware software should be performed|
|Optimization||To clean duplicates and monitor your apps, download and install Reimage Reimage Cleaner Intego|
Smartphones are now standalone devices greatly surpassing desktop machines when it comes to volume. According to statistics portals, there are more than 14 billion mobile devices currently in circulation,, so there is no doubt that threat actors are willing to benefit from this saturated market.
This can also be noted with an increasing amount of malware that is being produced for portable devices, especially Android OS-based ones. The malware was created to steal from victims and benefit cybercriminals – we will try to explain how to prevent its infiltration and how to remove EventBot virus for good to avoid extensive data compromise.
Just like many other Android virus members, EventBot makes its way to users' devices via applications downloaded from insecure third-party sources. While some apps might be unheard of, it is not uncommon for malware to be disguised as a well-known application. Researchers also managed to trace several legitimate application icons that were used to disguise EventBot malware inside.
Before the installation is complete, EventBot asks for several permissions within the Android device, some of which include:
- install other packages;
- create windows that are shown on top of other apps;
- allow running in the background;
- allow reading SMS contents;
- access information about network;
- allow the app to start with each device launch, etc.
Knowing about EventBot capabilities and purpose, these permissions make much sense. Nonetheless, many users do not pay close attention to permissions and simply allow them all during the installation of the fake app, as they believe it can be trusted (e.g., Adobe Flash Player, MS Word, etc.).
Once established, EventBot Trojan asks for accessibility service access. These are typically used to help users with disabilities to help them perform actions on their mobile devices they would normally not be able to, such as writing, performing gestures, and other functions. With this permission, EventBot will be able to operate as a keylogger, recording all inputs and screen presses from that point.
EventBot is a type of malware that abuses accessibility feature to acquire keylogging function
As soon as it establishes itself, EventBot downloads a configuration file for 200 different financial apps, which include Santander, CapitalOne, HSBC, UniCredit, Revolut, TransferWise, Coinbase, Paypal Business, and many more. This allows the malware to gather sensitive information, such as keystrokes, passwords, transactions, from these apps and send it off to a remote server (data is encrypted with various different ciphers, depending on the version).
When it comes to EventBot removal, only a reputable anti-malware software can help you. When it comes to its detection, you might not notice the malware operating the background, although excessive battery usage is one of the main indicators of the infection. Additionally, we would like to recommend using Reimage Reimage Cleaner Intego to optimize and keep your Android device clean.
EventBot versions and improvements
Even though EventBot is a relatively new malware strain, several versions were already identified by security researchers, including:
- Version 0.0.0.1 uses RC4 and Base64 Packet encryption to send out device information and other metadata within a JSON file. The action is repeated until a successful connection to C2 server is made.
- Version 0.0.0.2 loads its main module dynamically, preventing static analysis from outside sources.
- Version 0.3.0.1 includes region-based features to make the app more believable in different countries. This variant also included a function that allows malware to track PIN changes within settings.
- Version 0.4.0.1 incorporated new obfuscation techniques with the help of ProGuard. Additionally, the package name was no longer “com.example.eventbot,” which makes it more difficult to detect.
Based on numerous differences between these variants, security experts quickly concluded that EventBot is still under active development:
EventBot is in constant development, as seen with the botnetID string above, which shows consecutive numbering across versions. This example is from a later version of EventBot, and in other versions the naming convention is very similar, with bot IDs such as word100, word101, word102, and test2005, test2006 etc.
While researchers managed to identify several peculiarities about EventBot malware itself, they could not link it with any cybercriminal gangs, all while monitoring underground forums. This is another strong hint that the virus is not yet fully released, and will be available for sale only later.
EventBot tries to steal information from 200 financial apps
Avoid downloading apps from third-parties
Currently, there are over 2.8 million apps on Google Play and, while the IT giant Google does not always manage to keep malicious applications away, it is one of the most secure platforms to use. Of course, security measures are applied in most other websites, although they are nowhere near as extensive as Google's. In most cases, users are keen on downloading apps from unknown sites after they see a link on various platforms, such as Facebook or YouTube.
By default, Android devices are configured not to allow apps from external sources to be installed in the first place. However, many users deliberately switch that function off, exposing their smartphones to potential risks and malware infections. Therefore, turn the security feature back on and avoid third-party sources as much as possible.
Other tips to keep your Android device secure:
- Before installing application, check for permissions it asks for, and ask yourself whether a weather app needs access to read your SMS;
- Always keep your device up to date;
- Install powerful anti-malware software that would detect online treats for you;
- Enable Google Play Protect feature.
Eliminate EventBot malware to protect your finances and privacy
As previously mentioned, EventBot virus might not emit any symptoms, just like many other Trojans do, as they are programmed to operate stealthily. This outlines how important it is to protect mobile devices with security software, and that malware might operate silently in the background for a prolonged time without being noticed. Nonetheless, since the virus actively communicates with a remote server, sends packet information, and performs a variety of other actions, the phone or tablet might suffer from battery drain.
For EventBot removal, employ a powerful anti-malware software and perform a full system scan. Please be aware that not all mobile security tools are effective, as was confirmed by an in depended testing lab AV-Comparatives. Thus, make sure you pick a reliable anti-malware first.
Once you remove EventBot from your system, you should also clear your web browser data and immediately change your passwords for all the apps/accounts. Additionally, you should monitor your online banking to ensure that no illegal transactions are performed. If that is the case, contact your bank immediately and block the account.
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.
The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login.
VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.
Backup files for the later use, in case of the malware attack
Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.
It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.