S0478 EventBot
EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.1 EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.1
| Item | Value |
|---|---|
| ID | S0478 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 June 2020 |
| Last Modified | 26 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1418 | Application Discovery | EventBot can collect a list of installed applications.1 |
| mobile | T1402 | Broadcast Receivers | EventBot registers for the BOOT_COMPLETED intent to auto-start after the device boots.1 |
| mobile | T1412 | Capture SMS Messages | EventBot can intercept SMS messages.1 |
| mobile | T1407 | Download New Code at Runtime | EventBot can download new libraries when instructed to.1 |
| mobile | T1417 | Input Capture | EventBot can abuse Android’s accessibility service to record the screen PIN.1 |
| mobile | T1411 | Input Prompt | EventBot can display popups over running applications.1 |
| mobile | T1444 | Masquerade as Legitimate Application | EventBot has used icons from popular applications.1 |
| mobile | T1406 | Obfuscated Files or Information | EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.1 |
| mobile | T1513 | Screen Capture | EventBot can abuse Android’s accessibility service to capture data from installed applications.1 |
| mobile | T1437 | Standard Application Layer Protocol | EventBot communicates with the C2 using HTTP requests.1 |
| mobile | T1521 | Standard Cryptographic Protocol | EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.1 |
| mobile | T1426 | System Information Discovery | EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.1 |
| mobile | T1422 | System Network Configuration Discovery | EventBot can gather device network information.1 |