The Indian government has notified about a new mobile banking malware called EventBot which is capable of entering your device and look to steal confidential information about your bank account, read SMS messages that allow it to bypass two-factor authentication set for various banks. The details about this new malware have been explained by the Indian Computer Emergency Response Team (CERT-IN), which is the cybersecurity division of the Ministry of Electronics and Information Technology (MeitY).
“It uses several icons to masquerade as legitimate apps such as Microsoft Word, Adobe Flash and others using third-party application downloading sites to infiltrate into victim device. It is a mobile-banking Trojan and info-stealer that abuses Android’s in-built accessibility features to steal user data from financial applications, read user SMS messages and intercept SMS messages, allowing malware to bypass two-factor authentication,” the CERT-In highlighted in its advisory.
It mentions that over 200 financial applications which include banking apps and money transfer services among others have been the target points for the malware and most of the activity has been observed in platforms used in the US and Europe. However, it cautions that some of the services are likely to affect Indian users as well.
The virus “largely targets financial applications like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, TransferWise, Coinbase, paysafecard etc.,” the CERT-In added in its advisory. Interestingly, the cyber arm of the Indian government pointed out the malware has not been spotted in any of the apps available through Google Play Store as of now. Which is why it’s asking people to avoid downloading financial apps from the third-party store.
How EventBot attacks?
“Once installed on victim’s Android device, it asks permissions such as controlling system alerts, reading external storage content, installing additional packages, accessing the internet, whitelisting it to ignore battery optimisation, prevent processor from sleeping or dimming the screen, auto-initiated upon reboot, receive and read SMS messages and continue running and accessing data in the background,” the advisory explained.
Over time, it can also read Lock Screen and in-app PIN that can give the attacker more privileged access over victim device,” the advisory said.
With so many apps these days offering secured lock features, including biometric, it’s easy to see attackers also updating their techniques with time and trends. But since the malware has yet to appear in Google Play Store, it’s advisable that you follow what CERT-In recommends:
– Don’t download apps from third-party app store, unknown (and unsecure) websites
– Install and update antivirus software for mobile devices
– Check the kind of permissions and access the app is asking before downloading it
– Do not download apps or access mail via unsecure public Wi-Fi network
– Do not download email attachments from unknown senders