Security News

New Android malware steals banking passwords

Avast Security News Team, 1 May 2020

Plus, more news bytes of the week, including malware packaged with pirated movies and a hacker who can’t stop hacking

A new malware called EventBot is infecting Android devices in order to steal login credentials for banking apps and cryptocurrency wallets, TechCrunch reported. Researchers believe the malware is still a work-in-progress that has not been officially “released” yet, as they have observed several major upgrades since its discovery in March, including new malicious features and improved encryption for its command-and-control server (C2) communications. Icons found in the malware lead researchers to believe that when it is launched, it will masquerade as legitimate Android apps such as Microsoft Word and Adobe Flash. 

Upon infection of the device, EventBot requests many permissions, including access to the device’s accessibility features. Once it receives this access, it behaves as a keylogger, has the ability to intercept SMS messages, and can bypass two-factor authentications. Because it doesn’t use any signature mechanisms or recognizable coding, researchers believe the malware is brand new, and they are mystified as to its origin. In its current iteration, EventBot seems designed to target over 200 banking and finance applications such as PayPal, Capital One, and Coinbase. 

The malware has not been detected in the official Google Play Store as of yet, and Avast Security Evangelist Luis Corrons reminds users to avoid illegal and unofficial app stores. “Android is the most used operating system in the world,” he commented. “According to Google, a year ago there were already 2.5 billion active Android devices. This makes the platform really attractive for cybercriminals, and that is why it is targeted by them. Apart from having your device updated and running a security solution on it, it is key not to install apps from untrusted external sources. Just stick with the millions of apps we can find in the Google Play Store.”

CISA updates Office 365 best practices for WFH employees

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week to update its recommendations for security best practices regarding Microsoft Office 365, particularly geared toward the working-from-home trend. Due to how quickly businesses switched over to remote working, CISA is concerned “organizations may not be fully considering the security configurations of these platforms.” The alert lays out detailed guidance for Office 365 security, which includes advice to use multi-factor authentication, to enable unified audit logging, and to disable legacy email protocols, among other tips.  

This week’s stat

$500,000 in 5 months!

That’s how much “sextortioners” have netted within that time frame, according to security researchers analyzing the trend. “Sextortion” is the fraud scheme that threatens users with the release of a video showing their online porn habits if they do not pay a financial demand. Read more at Dark Reading

Pirated movies packaged with malware

Malware distributors are taking advantage of the surge in pirated movie downloads during the shelter-in-place lockdowns happening in many countries. The Microsoft Security Intelligence team tweeted about it, calling attention to a cryptomining campaign it observed hiding within movie downloads. Bleeping Computer reported that the campaign is primarily targeting Spain and South America, with pirated versions of popular movies like John Wick 3 being packaged with malware. To avoid falling victim to this kind of threat, users are advised to stick to legal streaming platforms and subscription services. 

Ransomware attack group apologizes and shuts down

The distributors of Shade Ransomware, one of the oldest ransomware strains in existence, announced on GitHub that they are ending their operations and that they are sorry for all the harm they have caused. They included downloads for a set of over 750,000 encryption keys in the post, stating that the set corresponds with all versions of their ransomware over the years and that they hope users can retrieve their data. The group did not provide a reason for their change of heart, but ZDNet reported that researchers have verified the encryption keys as legitimate.

This week’s quote

“The education sector is particularly vulnerable during social distancing since they need to adjust operations for over 25 million students across 4,235 higher education institutions in the United States that have been impacted by COVID-19,” said Scott Gordon, chief information system security professional at Pulse Secure LLC, commenting on the impact of Chegg’s third breach since 2018.

Twitter grants approved applicants livestream of COVID-19 tweets

If applicants can prove that they will use the information for the public good, Twitter will approve them to receive a livestream of COVID-19 tweets. Reuters reported that the social platform’s offer is aimed at grant researchers, software developers, crisis management directors, emergency response teams, and community communication organizers. Approved applicants will receive a full real-time stream of every COVID-19 related tweet from the moment they log on. They will not receive tweets that occurred in the past. Applicants also must explain to Twitter how they will protect the privacy and safety of the users represented in the data stream. 

Hacker who served time hacks again

California journalist Matthew Keys was indicted by a federal grand jury in 2013 for stealing hundreds of viewer email addresses from a Sacramento TV station that had fired him, as well as abetting a hacker in altering a story on the Los Angeles Times website. After serving 2 years in prison for the crimes, Keys was released. In 2019, he took a job as digital editor with Comstock’s Magazine but quit in January 2020 after a dispute with management. He now stands accused of hacking into Comstock’s Magazine’s web accounts and deleting its YouTube videos and YouTube account. Probation officers raided Keys’ house, seizing 18 devices. Forensic analysis revealed Keys did delete the YouTube videos and account. His hearing is set for June 8. Read more at The Sacramento Bee

This week’s ‘must-read’ on The Avast Blog

Wondering about this TikTok thing that is constantly occupying your kid’s time? Understand the security risks and learn how to keep your kid safe with our TikTok tips and advice.  


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.