New Android Malware Steals 2FA Codes and Banking Passwords

>

May 10, 2020

Android’s reputation has been somewhat tarnished over the years due to the copious amounts of Malware that has cropped up for the mobile OS. Sometimes even managing to make its way to Google’s own Play Store. Well, more Android malware has been found, and this time very sophisticated. Dubbed EventBot, security researchers discovered this new malware has the ability to not only steal Banking Passwords but also 2FA Codes

A look at EventBot

EventBot works by pretending to be a legitimate Android app, such as Adobe Flash, or Microsoft Word for Android. EventBot then takes advantage of Android’s accessibility features to obtain low-level access to the operating system. EventBot can steal passwords from more than 200 banking and cryptocurrency apps, and can even steal 2FA codes sent via text message. Some of the impacted apps include PayPal, Coinbase, CapitalOne, and HSBC. These stolen passwords are sent back to the malware operator’s servers for future use. 

EventBot can also record every single action on the device. It can even read notifications from other apps, making it easy for the attackers to piece sensitive information together. 

The researchers believe that EventBot is a completely new malware, having found no evidence of copying other currently in-the-wild Android malware. 

EventBot is still evolving 

The security researchers at Cybereason found that over the few weeks they have been monitoring EventBot, it has had constant development. Assaf Dahan, head of threat research at Cybereason told TechCrunch “The developer behind EventBot has invested a lot of time and resources into creating the code, and the level of sophistication and capabilities is really high.”

The security researchers found that every few days, new features were being added to the malware. For example, at one point they found that the malware operators had improved the encryption being used to phone home to the operator’s server. Another added feature was the ability to capture the lock code of the device. Possibly to allow the malware to gain even higher privileges to Android. 

As it currently stands, no one has a clue as to who is behind this new EventBot malware. More investigation will surely take place, but as of now, the operators are doing their very best to obfuscate the source of EventBot. 

How can you avoid EventBot?

The best thing you can do to avoid EventBot is to not download and install apps from unknown sources, such as third-party app stores. Whilst it is true that the Play Store is far from perfect when it comes to keeping malware out, it is often still better curated than other stores. Even when downloading apps from the Play Store, make sure to stick to well-known and verified apps. 

2FA is still important! 

Whilst EventBot can steal 2FA codes via text, 2FA is still by far the best thing you can do to secure your online accounts. Do not be dissuaded due to such malware. 2FA will still protect you from the vast majority of online account hijacking attempts. So, where available, make sure to enable 2FA. Preferably through an app or physical security key, as SMS is not the best authentication method. Though it is still better than nothing, especially as many services only offer SMS 2FA at the moment, particularly banks.