Just to be clear before I start, this is not a technical hack. It relies on human beings to make mistakes. Human beings are almost always the weak link.
A new banking trojan is stealing financial information from Android users in the United States, UK, Germany, Italy, Spain, Switzerland and France.
Even though this particular malware is currently going after Android users, there is no reason to think that it would not work on iPhones, because it is dependent users not paying attention.
The malware is dubbed EventBot by the researchers who discovered it, the malware targets over 200 different financial applications including money transfer services, cryptocurrency and banking.
Currently, this malware is NOT being distributed by the official Playstore, so this is one that you can’t blame Google for not detecting. Users who load software from shady providers often get their software with a side of malware. These sites usually provide some form of illegal content – you name the type.
The main thing the people that are getting hacked do is not paying attention to the permissions their apps are asking for and being granted.
In this case, the app asks to run in the background, ignore battery optimization, prevent the processor from sleeping, etc.
One key permission the app asks for is to turn on Android’s accessibility services, which is really designed to support the physically challenged. If you do not have a physical disability, you should NEVER give an app this permission.
These apps, of course, use social engineering to convince users to give them an entire boatload of permissions. Users, who are not security experts, don’t understand all this permissions stuff anyway, and trust developers to be honest.
Trusting developers to be honest is, well, a bit of an oxymoron.
While 99+% of developers are, in fact, honest, its the ones that are not who steal you blind. In this case, empty your bank account.
This particular apps asks for the permission to launch itself after boot (Nope – don’t do it, ever). That way it is always running in the background.
When you launch one of the apps that it understands, it looks to see if you have two factor authentication turned on. If you don’t it just steals your password and empties your account. If you do AND THE TWO FACTOR IS A TEXT MESSAGE, it logs in and waits for the text message to come in (yes, it asked for permission to read your text messages) and then empties your bank account.
Two ways to defeat this cold.
- Pay attention to the permissions an app asks for. If it asks for too many permissions or permissions that you don’t understand why it needs, either don’t install the app or revoke the permissions immediately after installation.
- Don’t use text messages as the second factor. If you use a Time-Based One Time Password (TBOTP like Google Authenticator or one of the many others), this attack doesn’t work because try as they might, there is no text message to steal.
Bottom line, it is a real attack, it is happening now, has happened before, will happen in the future and is dependent on fooling users.
Credit: Bleeping Computer