The Truth About the EventBot Android Trojan That Allegedly Bypasses 2FA

The Truth About the EventBot Android Trojan That Allegedly Bypasses 2FA

At the end of April, reports of a new strain of mobile banking malware for Android that can allegedly bypass two-factor authentication caught my eye. The new malware targets almost 200 mobile financial services apps across multiple geographies, including the United States, Italy, U.K., Spain, Switzerland, France, and Germany. But what’s new about this strain? How serious is the threat? What do developers need to do to protect themselves and their users from this and similar threats? The following is what I found out in consultation with some of our mobile app security experts and reviewing security research  and various media reports.

EventBot Android Malware Analysis

First off, it turns out there’s no need to panic. EventBot has not been found to be a part of any active campaigns at this time. However, that could change any day, and it’s a reminder to all of us not to get complacent or lazy. The researchers that discovered EventBot have said it’s in its “early stages” and under active development. While EventBot is not necessarily any more sophisticated or dangerous than mobile banking trojans of the past, the security researchers that discovered it do believe it is a novel strain and not a simple clone or copy of other mobile banking trojans already out there. This serves as evidence that criminals do still see value in investing time, effort, and money into creating mobile banking malware innovations. And, as long as attackers see value in it, it’s a signal that developers, Apple, Google, and cell carriers are leaving security gaps in their apps that malicious individuals will readily exploit for profit.

How the Eventbot Android Malware Works and How to Mitigate Risk

EventBot uses the same bag of tricks as most mobile malware targeting banking apps, including features such as reading SMS messages, launching overlay attacks, and performing other malicious activities such as keylogging. Overlays are quite common these days; a study last summer found that 51 percent of malicious Android apps use overlay attacks. With an overlay screen, the malware presents another window on top of the legitimate application in order to trick users into divulging their credentials or other information. The malware gains its power by tricking the user into granting it a number of powerful permissions – abusing Android’s accessibility feature.

Once granted these permissions, the Android malware can log keystrokes to steal credentials and send them to the attacker, as well as read notifications and content displayed by a targeted app. Developers can mitigate the risks of EventBot with a few simple cybersecurity best practices:

  1. Assume your app will in some cases operate in hostile mobile environments such as an Android device infected with malware. Take precautions to code your app securely. For example, do not store data in the shared external storage which all apps, malicious or not, can access.
  2. Do not use codes sent via SMS text messages to authenticate users. Nothing is perfect, but push notifications are a better choice.
  3. Add an additional layer of protection to mobile banking apps with app shielding, also referred to as runtime application self-protection, to stop malware from tampering with your mobile app’s runtime environment.

Closing Thoughts on the EventBot Malware

While EventBot does appear to be a new malware strain, it’s not necessarily any more sophisticated than other malware we’ve seen in the past. One security expert that analyzed EventBot stated that they wouldn’t rate it within the top three most dangerous malware that abuse accessibility services and calls it just a “keylogger with extra permissions.” Taking proper precautions against the broader collection of mobile cybersecurity threats out there will likely protect your users against such attacks. In particular, after testing we know that the app shielding option within OneSpan’s Mobile Security Suite can detect and interdict the screenreading activities of EventBot. If a users’ device was infected with the EventBot malware, but the mobile app used had OneSpan app shielding applied, the malware would not be able to read the screen content even if the user granted accessibility permissions to the app.

Mobile App Shielding
White Paper

Mobile App Shielding: How to Reduce Fraud, Save Money, and Protect Revenue

Discover how app shielding with runtime-protection is key to developing a secure, resilient mobile banking app.

Download Now

Sam is Senior Product Marketing Manager responsible for the OneSpan mobile app security portfolio and has nearly 10 years of experience in information security.