S0478: EventBot
EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]
Analyst context for executives and security teams
EventBot matters because it represents Android malware focused on banking and financial application data theft, using accessibility abuse and related mobile behaviors to capture inputs, SMS messages, screen content, device context, and network connectivity details. For leaders, the practical issue is not just “mobile malware,” but whether enterprise mobile controls can prove they would notice risky accessibility grants, suspicious financial-app overlays or input capture, runtime code loading, and web-based outbound communication from Android devices that may access business or financial services.
Executive priority
Prioritize this where Android devices are used for corporate access, finance workflows, cryptocurrency activity, privileged identity access, or SMS-based authentication. The decision questions are: do we know which Android devices can access sensitive services, can we enforce trusted app sources and risky permission controls, and can we produce audit evidence showing mobile threat monitoring, app inventory, and incident response processes? Because ATT&CK provides no official detection text for EventBot, coverage should be validated through mobile telemetry and control testing rather than assumed from endpoint or network tools alone.
Technical view
SOC, detection, and IR teams should map EventBot-relevant coverage to Android behavior shown in the relationships: obfuscated files or traffic, runtime code download, keylogging and GUI input capture, software and system/network discovery, web-protocol C2-style communication, screen capture, symmetric cryptography, broadcast receiver persistence, SMS message access, and matching legitimate names or locations. Validate collection from Android/MDM/EMM, mobile threat defense, app vetting, and network telemetry. Special attention should be paid to accessibility service abuse because the official description identifies that as a core data-theft mechanism.
Likely telemetry
- Android device and app inventory, including package names, icons, install source, version, and application reputation or vetting results
- Accessibility service enablement, permission grants, and unusual apps requesting accessibility capabilities
- Runtime code loading or post-install code download indicators from mobile app analysis or mobile security tooling
- Android permissions and API usage related to SMS access, screen capture or MediaProjection-style consent, input capture, and foreground application interaction
- Broadcast receiver registrations or event-triggered execution indicators, such as boot or SMS-related receivers
Detection direction
- Do not rely on static app scanning alone; the related Download New Code at Runtime behavior means defenders should validate dynamic and behavioral analysis coverage.
- Tune detections around combinations of behaviors rather than single events: accessibility abuse plus financial-app targeting, SMS access, input capture, screen capture, or suspicious outbound web traffic is more meaningful than any one permission by itself.
- Review false positives carefully because accessibility services, SMS permissions, screen capture, and broadcast receivers can be legitimate in some Android apps; require baselines for approved apps and business use cases.
- Validate whether mobile telemetry is actually forwarded to the SOC and correlated with identity events, especially for accounts using mobile devices for authentication or financial access.
- Hunt for apps that mimic legitimate names, icons, or package locations, particularly when paired with obfuscation, unexpected permissions, or runtime-loaded code.
Mitigation priorities
- Establish an Android mobile risk baseline: managed device enrollment, app inventory, approved app sources, and policy evidence for devices accessing sensitive services.
- Restrict or review sideloaded applications, untrusted app stores, and apps requesting high-risk permissions such as accessibility, SMS access, screen capture, or broad interaction with other applications.
- Use mobile app vetting and mobile threat monitoring capable of dynamic behavior assessment, not only package reputation or static signatures.
- Reduce credential and financial exposure by reviewing reliance on SMS-based workflows and by ensuring rapid credential reset and session revocation procedures for suspected mobile compromise.
- Prepare IR playbooks for Android malware: isolate or unenroll affected devices as appropriate, preserve available mobile evidence, review account activity, and confirm whether sensitive applications were accessed.
Analyst notes and limits
This take is based on the official ATT&CK EventBot software object, its Android platform designation, the official description of accessibility-service abuse and banking/financial application targeting, and the supplied uses relationships to mobile techniques. The relationships provide the best defensive map because the object itself does not list tactics or official detection guidance.
ATT&CK does not provide official detection text, aliases, labels, or tactics for this object in the supplied fields. The supplied relationship descriptions are partially truncated in places, so local validation should use the canonical ATT&CK pages and enterprise mobile telemetry. This assessment does not assert active exploitation, attribution, customer exposure, or guaranteed detection coverage.
EventBot
EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1521.001 | Symmetric Cryptography Sub-technique | EventBot has encrypted base64-encoded payload data using RC4 and Curve25519.CitationCybereason EventBot |
| Mobile | T1437.001 | Web Protocols Sub-technique | EventBot communicates with the C2 using HTTP requests.CitationCybereason EventBot |
| Mobile | T1407 | Download New Code at Runtime | EventBot can download new libraries when instructed to.CitationCybereason EventBot |
| Mobile | T1636.004 | SMS Messages Sub-technique | EventBot can intercept SMS messages.CitationCybereason EventBot |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | EventBot has used icons from popular applications.CitationCybereason EventBot |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | EventBot can display popups over running applications.CitationCybereason EventBot |
| Mobile | T1422 | System Network Configuration Discovery | EventBot can gather device network information.CitationCybereason EventBot |
| Mobile | T1418 | Software Discovery | EventBot can collect a list of installed applications.CitationCybereason EventBot |
| Mobile | T1426 | System Information Discovery | EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.CitationCybereason EventBot |
| Mobile | T1513 | Screen Capture | EventBot can abuse Android’s accessibility service to capture data from installed applications.CitationCybereason EventBot |
| Mobile | T1406 | Obfuscated Files or Information | |
| Mobile | T1417.001 | Keylogging Sub-technique | EventBot can abuse Android’s accessibility service to record the screen PIN.CitationCybereason EventBot |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | EventBot can gather device network information.CitationCybereason EventBot |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | EventBot registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.CitationCybereason EventBot |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c4bf0452940e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason EventBot
D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
Open source URL -
[2]
mitre-attack S0478Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.