Security News

A new type of mobile banking malware has been discovered abusing Android's accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes. Called "EventBot" by Cybereason researchers, the malware is capable of targeting over 200 different financial apps, including banking, money transfer services, and crypto-currency wallets such as Paypal Business, Revolut, Barclays, CapitalOne, HSBC, Santander, TransferWise, and Coinbase.

A new type of mobile banking malware has been discovered abusing Android's accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes. Called "EventBot" by Cybereason researchers, the malware is capable of targeting over 200 different financial apps, including banking, money transfer services, and crypto-currency wallets such as Paypal Business, Revolut, Barclays, CapitalOne, HSBC, Santander, TransferWise, and Coinbase.

These emails claim to offer help on getting government funds but instead lead recipients to a web page that tries to capture their banking credentials. A button on the site proclaims: "Get Economic Impact Payment Now." Clicking on that button triggers a dropdown menu with the names of well-known banks, such as Wells Fargo, Chase, Bank of America, and Citizens Bank.

"While our team has seen earlier versions of this trojan, which only featured a basic SMS stealer, new, and more elaborate, feature of the overlay malware capability - a tactic common to most Android banking malware." "Abusing the Accessibility service on the device, a relatively common way for Android malware apps to keep tabs on which app is running in the foreground, [Banker.BR] waits for a match with the goal of launching overlay screens at the right time and context to fool the user into tapping their credentials into the overlay," said researchers.

A case of alleged low-orbit internet banking fraud has taken another twist, with the US Attorney's Office for the Southern District of Texas filing an indictment in which it claimed the complainant in the case had lied. The case came to our attention in August 2019 when we chronicled how astronaut Lt Col Anne McClain denied a claim that she'd improperly accessed a bank account belonging to ex-wife Summer Worden while aboard the International Space Station.

The Zeus Sphinx banking trojan is back after being off the scene for nearly three years. First seen in August 2015, Sphinx is a modular malware based on the leaked source code of the infamous Zeus banking trojan, the researchers explained.

IBM and FireEye have spotted a campaign that relies on fake "COVID-19 Payment" emails to deliver the Zeus Sphinx banking trojan to people in the United States, Canada and Australia. The emails have the subject line "COVID-19 payment" and they carry malicious documents named "COVID 19 relief."

The TrickBot trojan has a new trick up its sleeve for bypassing a new kind of two-factor authentication security method used by banks - by fooling its victims into downloading a malicious Android app. Researchers first discovered the mobile app after a September 2019 tweet by CERT-Bund flagging TrickBot using man-in-the-browser techniques.

The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The name TrickMo is a direct reference to a similar kind of Android banking malware called ZitMo that was developed by Zeus cybercriminal gang in 2011 to defeat SMS-based two-factor authentication.

British customers of High Street banking brand Natwest are being advised not to use the domain natwest.co.uk - by none other than Natwest itself. Consumers are increasingly becoming aware of threats to their online banking security through malware and malicious apps designed to steal credentials.