Skip to content

S0478 EventBot

EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.1 EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.1

Item Value
ID S0478
Associated Names
Version 1.0
Created 26 June 2020
Last Modified 26 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols EventBot communicates with the C2 using HTTP requests.1
mobile T1407 Download New Code at Runtime EventBot can download new libraries when instructed to.1
mobile T1521 Encrypted Channel -
mobile T1521.001 Symmetric Cryptography EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.1
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers EventBot registers for the BOOT_COMPLETED intent to auto-start after the device boots.1
mobile T1417 Input Capture -
mobile T1417.001 Keylogging EventBot can abuse Android’s accessibility service to record the screen PIN.1
mobile T1417.002 GUI Input Capture EventBot can display popups over running applications.1
mobile T1406 Obfuscated Files or Information EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.1
mobile T1636 Protected User Data -
mobile T1636.004 SMS Messages EventBot can intercept SMS messages.1
mobile T1513 Screen Capture EventBot can abuse Android’s accessibility service to capture data from installed applications.1
mobile T1418 Software Discovery EventBot can collect a list of installed applications.1
mobile T1426 System Information Discovery EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.1
mobile T1422 System Network Configuration Discovery EventBot can gather device network information.1