EventBot
EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1418 | Application Discovery | ||
| Mobile | T1402 | Broadcast Receivers |
EventBot registers for the |
|
| Mobile | T1412 | Capture SMS Messages | ||
| Mobile | T1407 | Download New Code at Runtime | ||
| Mobile | T1417 | Input Capture |
EventBot can abuse Android’s accessibility service to record the screen PIN.[1] |
|
| Mobile | T1411 | Input Prompt | ||
| Mobile | T1444 | Masquerade as Legitimate Application | ||
| Mobile | T1406 | Obfuscated Files or Information |
EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.[1] |
|
| Mobile | T1513 | Screen Capture |
EventBot can abuse Android’s accessibility service to capture data from installed applications.[1] |
|
| Mobile | T1437 | Standard Application Layer Protocol | ||
| Mobile | T1521 | Standard Cryptographic Protocol |
EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.[1] |
|
| Mobile | T1426 | System Information Discovery |
EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery | ||