Researchers have analyzed a new strain of Android malware that doesn’t yet exist in the wild.
Cybereason Boffins did this by observing submissions to the virus detection site VirusTotal not from the general public, but from a source believed to be disbelievers testing whether the villain would be spotted.
Its creators call the malware EventBot, although if released, it could be disguised as other applications that claim to be games or utilities, or marketed as a component for other criminals. In cyber reason report, the researchers describe how they tracked a succession of submissions, seeing “features” added as coders improve the capabilities of EventBot.
EventBot prompts the user for permission to use accessibility services, a powerful feature since these services require extensive permissions to operate, including acting as a keylogger, for example, and running backwards. plan.
EventBot also requires Android permissions, including reading internal storage, reading and sending SMS messages, launching automatically after system boot, displaying windows above other applications, and requesting installation of additional packages. Some of these permissions prompt the user, even indicating that the application should “watch the text as you type – includes personal data such as credit card numbers and passwords.”
Wouldn’t most users refuse such permissions? Assaf Dahan, who heads the research team, said The Reg: “Most people who are not tech-savvy will not wonder why the app needs this or that permission, they will just give it so they can let it work. Most people don’t even take it’s worth reading it, there’s a lot of trust. The human link is the weakest link in cybersecurity. ”
Once installed, the app downloads a configuration file with currently around 200 financial targets, including PayPal, Coinbase, Barclays, HSBC, Santander, Starling, Lloyds, Mondo, Revolut, TSB, Tesco and Bank of Scotland – a full list is in the report. When active, it can perform webinjects, intercepting data sent to target sites. With the ability to read SMS messages, it may be able to defeat certain types of two-factor authentication. It can enter screen PINs, “most likely to give malware the ability to perform privileged activities on the infected device related to payments, system configuration options,” the report said.
Newer versions of EventBot use obfuscation to hide class names in code.
Cybereason said that a third of all malware now targets mobile devices and that 60% of devices accessing corporate data are mobile. In mitigation, however, Android and iOS are designed with more stringent permissions than desktop PCs, and protected by the fact that most apps are installed through an organized store. Would EventBot have a chance to pass Google’s malware checks?
“I would like to say that it will never happen, but the facts prove the contrary,” said Dahan. “It doesn’t happen often, but malware is in the Play Store. It’s not unknown.”
Evidence for this has recently been confirmed by Kaspersky researchers, who said from a malware campaign dubbed “PhantomLance”: “We found dozens of linked samples that had appeared in the wild since 2016 and had been deployed in various application markets, including Google Play. One of the latest samples was released on the official Android market on November 6, 2019. We informed Google about the malware and it was removed from the market soon after. “
According to Kaspersky: “We spotted a certain tactic often used by threat actors to distribute their malware. The initial versions of the applications downloaded from the application markets did not contain any payload or malicious code to remove a payload. These versions were accepted because they contained nothing suspicious, but the tracking versions were updated with both malicious payloads and code to delete and run those payloads. “
Regarding EventBot, you expect the authors to read the Cybereason report and make changes to avoid identification. “This is part of this eternal game of cat and mouse,” said Dahan. “Malware is polymorphic, it mutates all the time to escape antivirus and other security products.”
Despite the existence of EventBot and other mobile malware, is it not true that mobile devices are still more secure than desktop PCs, which are more open and allow users more freedom to install applications from anywhere? “The attack surface is larger with the desktop,” Dahan told us, “but the world is moving fast to mobile. Banking trojans were really big on the desktop, they must now have a mobile component “Most banks today have two-factor authentication with a code generated or sent to the mobile phone. Threat actors have to adapt and go mobile.”
The solution is for users not to grant excessive permissions to the apps they install and to Google to improve its game when it comes to detecting malicious submissions – although we note that EventBot itself does has not yet been found elsewhere than on VirusTotal. ®
Office 365 client-to-client migration tips