Security researchers are sounding the alarm over a newly discovered Android malware that targets banking apps and cryptocurrency wallets.
The malware, which researchers at security firm Cybereason recently discovered and called EventBot, masquerades as a legitimate Android app — like Adobe Flash or Microsoft Word for Android — which abuses Android’s in-built accessibility features to obtain deep access to the device’s operating system.
Once installed — either by an unsuspecting user or by a malicious person with access to a victim’s phone — the EventBot-infected fake app quietly siphons off passwords for more than 200 banking and cryptocurrency apps — including PayPal, Coinbase, CapitalOne and HSBC — and intercepts and two-factor authentication text message codes.
With a victim’s password and two-factor code, the hackers can break into bank accounts, apps and wallets, and steal a victim’s funds.
“The developer behind Eventbot has invested a lot of time and resources into creating the code, and the level of sophistication and capabilities is really high,” Assaf Dahan, head of threat research at Cybereason, told TechCrunch.
The malware quietly records every tap and key press, and can read notifications from other installed apps, giving the hackers a window into what’s happening on a victim’s device.
Over time, the malware siphons off banking and cryptocurrency app passwords back to the hackers’ server.
The researchers said that EventBot remains a work in progress. Over a period of several weeks since its discovery in March, the researchers saw the malware iteratively update every few days to include new malicious features. At one point the malware’s creators improved the encryption scheme it uses to communicate with the hackers’ server, and included a new feature that can grab a user’s device lock code, likely to allow the malware to grant itself higher privileges to the victim’s device like payments and system settings.
But while the researchers are stumped as to who is behind the campaign, their research suggests the malware is brand new.
“Thus far, we haven’t observed clear cases of copy-paste or code reuse from other malware and it seems to have been written from scratch,” said Dahan.
Android malware is not new, but it’s on the rise. Hackers and malware operators have increasingly targeted mobile users because many device owners have their banking apps, social media, and other sensitive services on their device. Google has improved Android security in recent years by screening apps in its app store and proactively blocking third-party apps to cut down on malware — with mixed results. Many malicious apps have evaded Google’s detection.
Cybereason said it has not yet seen EventBot on Android’s app store or in active use in malware campaigns, limiting the exposure to potential victims — for now.
But the researchers said users should avoid untrusted apps from third-party sites and stores, many of which don’t screen their apps for malware.
TikTok, the widely popular video sharing app developed by one of the world’s most valued startups (ByteDance), continues to grow rapidly despite suspicion from the U.S. as more people look for ways to keep themselves entertained amid the coronavirus pandemic.
The global app and its Chinese version, called Douyin, have amassed over 2 billion downloads on Google Play Store and Apple’s App Store, mobile insight firm Sensor Tower said Wednesday.
TikTok is the first app after Facebook’s marquee app, WhatsApp, Instagram and Messenger to break past the 2 billion downloads figure since January 1 of 2014, a Sensor Tower official told TechCrunch. (Sensor Tower began its app analysis on that date.)
A number of apps from Google, the developer of Android, including Gmail and YouTube, have amassed over 5 billion downloads, but they ship pre-installed on most Android smartphones and tables.
TikTok’s 2 billion download milestone, a key metric to assess an app’s growth, comes five months after it surpassed 1.5 billion downloads.
In the quarter that ended on March 31, TikTok was downloaded 315 million times — the highest number of downloads for any app in a quarter and — surpassing its previous best of 205.7 million downloads in Q4 2018. Facebook’s WhatsApp, the second most popular app by volume of downloads, amassed nearly 250 million downloads in Q1 this year, Sensor Tower told TechCrunch.
As the app gains popularity, it is also clocking more revenue. Users have spent about $456.7 million on TikTok to date, up from $175 million five months ago. Much of this spending — about 72.3% — has happened in China. Users in the United States have spent about $86.5 million on the app, making the nation the second most important market for TikTok from the revenue standpoint.
Craig Chapple, a strategist at Sensor Tower, said that not all the downloads are as organic as TikTok, which launched outside of China in 2017 and has engaged in a “large user acquisition campaign.” But he attributed some of the surge in downloads to the COVID-19 outbreak that has driven more people than ever to look for new apps.
India, TikTok’s largest international market, accounts for 30.3% of the app’s downloads, according to Sensor Tower. The app has been downloaded 611 million times in the world’s second largest internet market.
From a platform’s standpoint, 75.5% of all of TikTok’s downloads have occurred through Google Play Store. But the vast majority of spending has come from users on Apple’s ecosystem ($435.3 million of $456 million).
TikTok’s parent firm ByteDance, which was valued at $75 billion two years ago, counts Bank of China, Bank of America, Barclays Bank, Citigroup, Goldman Sachs, JP Morgan Chase, UBS, SoftBank Group, General Atlantic, and Sequoia Capital China among some of its investors.
Apple and Google have released the first version of their exposure notification API, which they previously called the contact tracing API. This is a developer-focused release, and is a seed of the API in development, with the primary intent of collecting feedback from developers who will be using the API to create new contact tracing and notification apps on behalf of public health agencies.
Last week, Apple CEO Tim Cook told EU Commissioner Thierry Breton that the API would be arriving shortly, and this version is indeed now available — albeit to a specific and limited group that includes select developers working on behalf of public health authorities globally, according to the companies. This is a test release that’s intended to provide the opportunity for development and feedback in advance of the API’s public release in mid-May, at which time developers will be able to use the software feature on devices with publicly available apps released through the iOS and Google software stores, respectively.
Apple and Google say they will be providing this coming Friday additional details about the API and its release, including sample code to show how it operates in practice. Both are intent on providing updates to the documentation as they become available, and in adding access to new developers throughout testing, though this will be gated because the companies are limiting access to this API to authorized public health authorities only.
Already, Apple and Google have made available on their respective developer websites documents that describe the specification in detail, and provided an update with improvements to the tech’s functioning, including in terms of its protection of user privacy, and the ease with which developers can deploy it within their apps, as discussed during a press call last week.
This update includes an added ability for health authorities to define and calculate an exposure risk level for individuals based on their own criteria, as that varies organization to organization. This will be variable based on approximate distance of an individual to a confirmed exposed COVID-19 patient, as well as the duration of that exposure. Developers can customize notification messaging based on their defined exposure levels to ensure alerts correspond correctly to calculated risk.
Apple and Google first announced the combined API and eventual system-level contact tracing feature on April 10, and intend to release the first version of the API publicly in mid-May, with the system-level integration to follow in the coming months. The tech is designed to be privacy-preserving, ensuring that contact IDs are rotating and randomized, and never tied to an individual’s specific identifying information.