Mobile banking, mobile payment, mobile wallet and other FinTech providers who offer Android solutions to their customers now have to contend with a new form of data harvesting malware on Android devices. Brought to light on April 30th by the Nocturnus Research team at Cybereason, this new form of malware is commonly known as “EventBot.”

Appdome believes this a new class of malware that has the potential to spawn several new malware programs, each of which harvests unprotected data, and gains access to unprotected mobile apps on users devices. If you would like to know if your mobile banking, mobile payment, e-wallet or crypto currency app is vulnerable to EventBot, data harvesting or other mobile malware, write to appsectest@appdome.com.

What Is EventBot?

EventBot is a malicious program (Malware) hidden within a seemingly valid app that harvests unprotected data from victim apps on the same Android device. TechCrunch reports that EventBot often masquerades as a legitimate Android app — like Adobe Flash or Microsoft Word for Android. Once installed, EventBot goes to work, harvesting unprotected data, expanding permissions and gaining access the accessibility options in the Android operating system.

EventBot Malware is scary for three reasons. First, it can be hidden in a modified version of a seemingly legitimate app. Currently, it hides in apps designed for work. Second, EventBot Malware targets unprotected data in mobile banking, mobile payment, mobile wallet and similar apps.  ZDnet warns that EventBot is specifically targeting mobile banking, mobile apps and cryptocurrency wallets across Europe and the United States looking for user credentials, one-time-passwords (OTPs) and account details. EventBot is designed to steal usernames, passwords and intercept two-factor authentication codes sent as text messages by these apps. Third, it is evolving quickly and employing security measures to protect against this malware is paramount.

Why Is EventBot Malware Showing Up Now?

In a previous blog, we highlighted that in COVID-19, banks and financial institutions all over the world are telling people to download and use mobile banking, mobile payment and similar apps to handle all their financial needs. This push to mobile apps has produced a surge in mobile app use and newcomers to mobile banking. Forbes is reporting a 35-80% increase in mobile banking since the coronavirus pandemic started. On top of that, a massive number of employees are now working from home, utilizing their own Android devices in what Enterprise IT teams refer to as “Zero Trust BYOD” devices to maintain productivity and complete work while working from home. Together, these two trends lead to a perfect opportunity for hackers to come in ruin the day for all mobile users.

How Does EventBot Work?

EventBot is new and researchers, including those here at Appdome, are keeping track of its development. For example, as a program, it’s not limited to hiding in apps for work or, for that matter, targeting mobile banking or wallet apps. The principle purpose of EventBot is data harvesting. It collects and exfiltrates unprotected data from the targeted mobile apps.

What should be very eye opening about EventBot is its ability to perform its malicious intent using standard methods available via the Android operating system. For example, the user installs the modified app with EventBot malware inside via alternative legitimate and nefarious app stores. We already know that early versions of EventBot are installed by users outside of the traditional Google Play app store.

Going a bit deeper, it’s important to remember that methods and tools already exist, such as PackageManage, that allow one app to get an inventory of all apps on an Android device. It wouldn’t be that hard for EventBot to use PackageManage (or a similar method) to get an inventory of all mobile apps on the Android device. With the inventory in hand, EventBot could compare the app inventory to a target list of BundleIDs for select banking, payment and wallet apps it seeks to exploit. From there, similar tools are currently available that would allow malware to extract unprotected data from apps, including usernames and passwords, API keys and secrets, and more. So far, the malware itself takes clever advantage of standard methods to extract data and gain permissions. For example, it presents a screen to the user asking to grant more permissions allowing it to intercept incoming text messages.

It doesn’t take much imagination to realize that a bad actor with a username and password harvested from an unprotected mobile app can now perform all forms of fraud, identity theft, and access the same service online using the stolen credentials. With access to the user’s SMS, it wouldn’t take much to perform an Account Takeover of a person’s banking, payment or crypto currently account on any browser or phone in the world.

Why is EventBot Malware Important?

Cybereason found that EventBot targets users of over 200 different financial applications, including banking, money transfer services, and crypto-currency wallets. Those targeted include applications like Paypal BusinessRevolutBarclaysUniCreditCapitalOne UKHSBC UKSantander UKTransferWiseCoinbase, paysafecard, and many more.

Android applications targeted by EventBot Malware

Android applications targeted by EventBot Malware (source: Cybereason)

At Appdome, we know that the EventBot Malware isn’t the first instance of mobile malware, including mobile malware hidden inside modified trojan apps. Still, it is important for several reasons. First, EventBot is another example of publicly distributed malware inside mobile apps that harvests unprotected data from other apps on the same device. Once EventBot is on an Android device, the malware targets other apps on the same device and sends harvested data to servers located who knows where. That, by itself, makes EventBot worth watching. Second, it is a known and public example of malware that targets specific banking, financial services, payment and cryptocurrency mobile apps. This means that other versions of EventBot Malware can be used to target other vertical market segments such as mobile health, mobile retail and other industries. Third, its design gives it the ability to expand permissions and gain access to the accessibility functions within the Android operating system. This gives it access to segmented communication protocols like SMS, often relied on by 2FA and MFA vendors, and suggests that EventBot Malware was designed to perform automated account takeovers. No matter what, this means that app developers can no longer rely on 2FA or MFA to protect their apps and users. EventBot showcases how SMS MFA methods are susceptible to attack and compromise.

How Can Developers Protect Customers from EventBot Malware?

As with any security event, Appdome recommends a layered approach to securing mobile banking, payment, wallet and cryptocurrency mobile apps and users from Eventbot Malware.

First, we recommend implementing mobile app shielding and deep code obfuscation (more than just obfuscating class names) in your mobile apps. If done correctly, app shielding prevents tampering with your app, such as adding workflows and overlays in your app. It can also block other apps or code from being run on behalf of your app. A proper implementation of deep code obfuscation makes it hard for automated programs to read your code and find unprotected data stored in your app. Combined, these methods would also prevent your app from becoming a trojan itself for mobile malware, including EventBot Malware. You can learn more about Appdome’s code obfuscation product called, TOTALCode™ Obfuscation and Appdome’s app shielding product, called ONEShield™ at your convenience.

Second, developers of mobile banking, payment and cryptocurrency mobile apps should prevent their mobile apps from running on an Android device that has a compromised operating system and/or could have installed a malicious program. This is achieved by adding in-app protections against Rooting an Android Device, allowing Unknown Sources, Developer Options and more. This class of protection would check if the posture of the Android device has changed or the user is using anything other than the trusted distribution methods to install apps on the device. It also checks to see if permissions that malware might use to access the app have been turned on, either by the user or some other means. You can learn more about Appdome’s Android Operating System protections at your convenience.

Third, the EventBot Malware is designed to harvest unprotected data in mobile apps, including usernames and passwords. So, the fastest and easiest way to protect against EventBot Malware is to encrypt data created, used or stored by or inside your app. This would include encrypting data stored in the Application sandbox, data stored in strings, data stored in XML files, data stored in preferences and secrets in the app. Storing data in these areas in the app without any protection is the #1 reason EventBot Malware works. Without protection, data stored by the app, including unprotected credentials, presents low hanging fruit for any mobile malware. You can learn more about Appdome’s mobile data encryption product called, TOTALData™ Encryption at your convenience.

Developers of mobile banking, payment and cryptocurrency mobile apps can add additional protections. For example, we know that EventBot Malware uses keylogging for some of its actions. So, best practice would suggest adding Keylogger Prevention to prevent that aspect of credential theft performed by the EventBot Malware. Inside Appdome Mobile Security Suite developers have several other options, such as encrypting all the Java code of the Android app, to protect their mobile apps and the people who use their mobile banking, payment, wallet and/or crypto currency mobile apps. You can request a demo of Appdome Mobile Security Suite at anytime.

What Developers Can Learn from EventBot Malware

The biggest, most basic, lesson mobile developers can learn from EventBot Malware is this – “Do Something” to protect and secure your client mobile app. Back-end protections don’t block EventBot. While they might eventually be able to detect and notify you of the existence of EventBot, by then, the vast majority of the damage will have occurred against users of your mobile app. The device or OS level security can’t help either, because EventBot Malware (ab)uses standard methods to install itself on the device, expand permissions and gain access to accessibility options.  It’s up to you, as the developer of the mobile app, to protect your app and users.

Malicious hackers build code to exploit large scale, systemic, problems in mobile apps. It might not be lucrative to hack an individual app. But, if your app is 1 of 200, 2,000 or 200,000 mobile apps that leave data, like usernames and passwords, in the clear, there will always be bad actors working to take advantage of that opportunity. Mobile malware is not new. There is no safety in large numbers. If your mobile app shares the same lack of protections as other apps, that fact gives malicious hackers a perfect reason to target your app.

As a community of mobile developers, we need to keep in mind that mobile apps themselves are part of larger commercial ecosystems. Digital businesses and consumers rely on the same username and passwords across online and mobile channels of the same service. We should protect mobile apps from malware and other threats for their own sake. But, we should also protect mobile apps because they are a part of the larger banking, payment and cryptocurrency services trusted by people around the world.

We should also improve mobile app security training for mobile end users. Security awareness and training are always an important part of any defensive program. Still, as a developer of a mobile banking, payment or wallet app, you have no control over the user or the device on which your app is installed. In this use case, the user is free to choose and do as she or he pleases. That user, or their children, friends, relatives or others with access to their device, can download other apps which have EventBot or similar malware inside. These same users can change permissions for your app or change settings on their device at any time. If your user wants to install apps from both Google Play and other APK stores, your user can enable “Unknown Sources” and install APK files directly via the Android Package Manager. Since apps from alternative APK stores do not pass the Google Play verification process, the user does not know if the apps come with malware or not. EventBot does not advertise its malicious activities and most of its work is done in the background.

Against the backdrop of the COVID-19 crisis and the sudden increased use of mobile banking, payment, crypto currency and e-wallet apps, EventBot Malware is particularly insidious. At the same time, mobile developers who build mobile banking, mobile payment and crypto currency apps have security options to protect against EventBot and similar malware.  Do something inside your app to present a strong and different security posture to EventBot and similar malware. The better the security inside your mobile app, the more defenses you and your users enjoy.

Would You Like to Know if Your App Is Vulnerable to Malware Harvesting?

If you would like to know more about the security posture of your mobile app or want a security assessment of your mobile banking, mobile payment, e-wallet or crypto currency app, write to appsectest@appdome.com.

Starting in 2020, Appdome has completed hundreds of pen tests and vulnerability assessments of mobile banking, retail, healthcare, payment, cryptocurrency and wallet apps. If you would like to know if your app is susceptible to malware harvesting, drop us a line and ask for a security assessment of your app.

I hope you find this blog useful. And, of course, if you want to protect your Android or iOS apps today, without any code or coding, get started for at https://fusion.appdome.com