EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]

ID: S0478
Platforms: Android
Version: 1.0
Created: 26 June 2020
Last Modified: 26 June 2020

Techniques Used

Domain ID Name Use
Mobile T1418 Application Discovery

EventBot can collect a list of installed applications.[1]

Mobile T1402 Broadcast Receivers

EventBot registers for the BOOT_COMPLETED intent to auto-start after the device boots.[1]

Mobile T1412 Capture SMS Messages

EventBot can intercept SMS messages.[1]

Mobile T1407 Download New Code at Runtime

EventBot can download new libraries when instructed to.[1]

Mobile T1417 Input Capture

EventBot can abuse Android’s accessibility service to record the screen PIN.[1]

Mobile T1411 Input Prompt

EventBot can display popups over running applications.[1]

Mobile T1444 Masquerade as Legitimate Application

EventBot has used icons from popular applications.[1]

Mobile T1406 Obfuscated Files or Information

EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.[1]

Mobile T1513 Screen Capture

EventBot can abuse Android’s accessibility service to capture data from installed applications.[1]

Mobile T1437 Standard Application Layer Protocol

EventBot communicates with the C2 using HTTP requests.[1]

Mobile T1521 Standard Cryptographic Protocol

EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.[1]

Mobile T1426 System Information Discovery

EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.[1]

Mobile T1422 System Network Configuration Discovery

EventBot can gather device network information.[1]