EventBot

EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]

ID: S0478
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 26 June 2020
Last Modified: 26 June 2020

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

EventBot communicates with the C2 using HTTP requests.[1]

Mobile T1407 Download New Code at Runtime

EventBot can download new libraries when instructed to.[1]

Mobile T1521 .001 Encrypted Channel: Symmetric Cryptography

EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

EventBot registers for the BOOT_COMPLETED intent to auto-start after the device boots.[1]

Mobile T1417 .001 Input Capture: Keylogging

EventBot can abuse Android’s accessibility service to record the screen PIN.[1]

.002 Input Capture: GUI Input Capture

EventBot can display popups over running applications.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

EventBot has used icons from popular applications.[1]

Mobile T1406 Obfuscated Files or Information

EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.[1]

Mobile T1636 .004 Protected User Data: SMS Messages

EventBot can intercept SMS messages.[1]

Mobile T1513 Screen Capture

EventBot can abuse Android’s accessibility service to capture data from installed applications.[1]

Mobile T1418 Software Discovery

EventBot can collect a list of installed applications.[1]

Mobile T1426 System Information Discovery

EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.[1]

Mobile T1422 System Network Configuration Discovery

EventBot can gather device network information.[1]

.001 Internet Connection Discovery

EventBot can gather device network information.[1]

References