How EventBot malware exploits shift to mobile payments during coronavirus crisis
Criminals developing EventBot malware built it to take advantage of businesses and humans turning to mobile banking and payments in the current coronavirus crisis — but also to update itself on the fly to become more insidious in the future.
As such, the newly discovered EventBot infecting Android devices specifically targets mobile banking, mobile wallets and other financial services apps by masquerading as a legitimate Android app such as Adobe Flash or Microsoft Word.
Other malware strains have not had such clear targets. EventBot has a specific mission in mind in terms of what data it intends to harvest, allowing it to expand access into parts of the operating system and eventually into victims' bank and mobile wallet accounts.
That may not sound any scarier than any number of other malware that cybersecurity companies and payment providers have encountered, but EventBot's unique traits position it as a different type of fraud player.
"It has a specific target list that it is looking for and it is updated regularly," said Tom Tovar, CEO of Appdome, a cybersecurity firm operating in Silicon Valley. "For starters, it specifically targeted banks in areas that were hit hardest and suffering the most with coronavirus, with a good chunk in Italy and Spain."
Even with much of the security community focusing on the evolution of EventBot and how it hides itself and updates social engineering techniques, it continues to operate "like a lean startup that an organization is building purposely," Tovar said.
EventBot will undergo updates to advance and improve beyond its first and second generations.
"It is really interesting to see the development, not just on the malicious methods, but the amplification of techniques the system is using," Tovar said.
Whether EventBot can trigger the type of alarm the WannaCry ransomware attack three years ago sparked isn't known at this time. WannaCry was aggressive in infecting more than 200,000 systems worldwide, many of them operating payments. WannaCry, believed to have come out of North Korea, initially targeted U.K. health care systems and moved on from there, exploiting a Windows vulnerability.
It left many experts warning of the potential that a stronger WannaCry could emerge in the future. EventBot may have some work to do to reach that status, but its fundamentals create a frightening scenario in terms of what could come next as developers view their disruptive malware like a product built for a longer shelf life.
"Of course, all malware is bad, but it's too early to say the sky is falling regarding EventBot," said Joseph Krull, an Israel-based senior analyst on cybersecurity for Aite Group. "It does potentially impact a number of mobile banking applications and gives the ability to conduct classic man-in-the-middle authentication attacks."
EventBot has targeted Android because it is an easier operating system to infect based on its architecture and decentralized security model, Krull noted. "If it's any consolation, the mobile apps targeted are primarily European, where security technical controls can range from horrible to good."
Security researchers have found that when EventBot is installed by an unsuspecting user falling for a social engineering ploy or by a malicious person with access to a victim's phone, the fake app siphons off passwords for payment, mobile banking and crypto wallets, while also intercepting two-factor authentication text message codes.
After that, it does not take long for that information to be stored in the hacker's server to allow use of these stolen passwords and codes to steal funds from bank accounts, apps and wallets.
"Hackers don't hack apps, they build systems to hack apps and that is what EventBot is showing," Appdome's Tovar said. "The props go to the hacker who builds the most tools now, whereas before it went to the hacker who got into the hardest systems to break."
The silver lining, Tovar said, is that artificial intelligence defense mechanisms at the app level exist to thwart EventBot and others like it.
"Put those defenses in your mobile app and you have a first line defense against mobile fraud, identity theft and account takeovers," he added. "Don't put all of the emphasis on the back-end protections because attacks happen out where people live inside of your mobile business ... they live on the mobile app."
For its part, Google has improved Android security over the past few years through a screening process of apps in its app store and also blocking suspicious third-party apps in an attempt to cut down on malware. But fraudsters still manage to evade those protections on occasion.
Because of that, the security focus has to shift to the origin of the attacks, said Avivah Litan, a vice president and distinguished analyst at Gartner Inc., a market research company.
"Attacks against mobile operating systems and mobile devices are just more of what has always been, but it always picks up during times of crisis like coronavirus," Litan said.
"It is amazing how quickly criminals act to exploit vulnerabilities in the population as well as the devices," she added. "It's really important to start aiming at the attacker and not just all of the attacks."
The nightmare scenario for the banks and retail payments settings is for malware to make its way into hardware like smartphones and other devices that can initiate transactions, Litan said.
"If hackers were to compromise the factories where these devices are made and put in back-door malware that no one sees for a couple of years, that would be what everyone is really afraid of," Litan said. "Even if manufacturers were to see it, and the only way to stop it was to recall all of the phones and devices, by then it is too late."