EventBot
EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols | |
| Mobile | T1407 | Download New Code at Runtime | ||
| Mobile | T1521 | .001 | Encrypted Channel: Symmetric Cryptography |
EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.[1] |
| Mobile | T1624 | .001 | Event Triggered Execution: Broadcast Receivers |
EventBot registers for the |
| Mobile | T1417 | .001 | Input Capture: Keylogging |
EventBot can abuse Android’s accessibility service to record the screen PIN.[1] |
| .002 | Input Capture: GUI Input Capture | |||
| Mobile | T1655 | .001 | Masquerading: Match Legitimate Name or Location | |
| Mobile | T1406 | Obfuscated Files or Information |
EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.[1] |
|
| Mobile | T1636 | .004 | Protected User Data: SMS Messages | |
| Mobile | T1513 | Screen Capture |
EventBot can abuse Android’s accessibility service to capture data from installed applications.[1] |
|
| Mobile | T1418 | Software Discovery | ||
| Mobile | T1426 | System Information Discovery |
EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery | ||
| .001 | Internet Connection Discovery | |||