S0478 EventBot
EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.1 EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.1
| Item | Value |
|---|---|
| ID | S0478 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 June 2020 |
| Last Modified | 26 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | EventBot communicates with the C2 using HTTP requests.1 |
| mobile | T1407 | Download New Code at Runtime | EventBot can download new libraries when instructed to.1 |
| mobile | T1521 | Encrypted Channel | - |
| mobile | T1521.001 | Symmetric Cryptography | EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | EventBot registers for the BOOT_COMPLETED intent to auto-start after the device boots.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | EventBot can abuse Android’s accessibility service to record the screen PIN.1 |
| mobile | T1417.002 | GUI Input Capture | EventBot can display popups over running applications.1 |
| mobile | T1406 | Obfuscated Files or Information | EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | EventBot can intercept SMS messages.1 |
| mobile | T1513 | Screen Capture | EventBot can abuse Android’s accessibility service to capture data from installed applications.1 |
| mobile | T1418 | Software Discovery | EventBot can collect a list of installed applications.1 |
| mobile | T1426 | System Information Discovery | EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.1 |
| mobile | T1422 | System Network Configuration Discovery | EventBot can gather device network information.1 |