Over the last several weeks, a group of unidentified hackers have been methodically testing a new piece of code designed to steal credentials people use to log into banks and other financial institutions. Like many a product developer, the hackers have been fine-tuning the malicious software to make it more effective in siphoning off data from a mobile phone.
Perhaps unbeknownst to the hackers, a team of researchers have been watching and taking notes. On Thursday, the researchers, from Boston-based security company Cybereason, published their findings in an effort to preempt attacks on banking customers.
It’s one of a wave of recent malicious applications designed to steal users’ banking data. In the last month, security researchers have reported malware targeting banking customers in Brazil and Spain. As an even greater number of people around the world use mobile banking, the impetus for criminals to compromise those transactions has grown.
The new malware, called EventBot, is capable of targeting no less than 200 financial apps on the Android operating system, from the Barclays banking app to money transfer services like PayPal Business, Cybereason said. Most of the apps are for European banks and cryptocurrency exchanges. It is unclear who is behind the new malware; the researchers are still investigating.
The malware abuses Android’s accessibility features, which make it easier for the user to interact with the device, to access data stored in the financial apps. Like other banking malware, EventBot is capable of intercepting the text messages that people use as a secondary security measure to log into their bank accounts.
Assaf Dahan, Cybereason’s head of threat research, said it could only be a matter of time before the hackers begin using the malware against banking customers.
“Our customer base telemetry did not pick up live attacks yet but it seems like they’re getting very close to doing so,” Dahan told CyberScoop in an email.
The question is: What route will the attackers take to try to get their code onto mobile phones? Cybereason analysts predicted the malware would pop up in a “rogue” third-party app store. But they also didn’t rule out the hackers trying to sneak it into the Play Store, the official Android app center that Google tries to closely guard.
“It is definitely a possibility,” Dahan said. “That’s why we want to raise awareness to this threat.”
Financial institutions around the world have had to put up with relentless crooks who target their customers with fake apps or phony text messages. From June 2019 to January 2020, scammers sent phishing messages to 4,000 IP addresses tied to customers of big banks like Chase, the Royal Bank of Canada, and London-based HSBC, according to mobile security company Lookout.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry threat-sharing hub that includes big U.S. banks, said it issues regular threat advisories, including on banking trojans.
“This is part of our business as usual,” FS-ISAC spokesperson Elizabeth Heathfield said of the advisories.