Android Banking Malware Escobar is Back Stealing Google Authenticator MFA Codes 

Android Banking Malware Escobar is Back Stealing Google Authenticator MFA Codes 

The Aberebot Android banking malware has been renamed ‘Escobar,’ and it now includes additional capabilities such as stealing Google Authenticator multi-factor authentication (MFA) codes. In addition to gaining control of compromised Android devices using VNC, capturing audio, and taking images, the newest Aberebot version now adds to the list of targeted apps for credential theft. The trojan’s primary purpose is to steal enough information to allow threat actors to access victims’ bank accounts, drain available funds, and conduct illicit activities. 

Using KELA‘s cyber-intelligence DARKBEAST platform, researchers discovered a February 2022 forum post on a Russian-language hacking community in which the Aberebot creator promotes their latest version as the ‘Escobar Bot Android Banking Trojan.’ The malware author is renting its beta version to a maximum of five clients for $3,000 per month, with threat actors getting three days to test the bot for free. After development, the threat actor intends to raise the malware’s price to $5,000. 

On March 3, 2022, MalwareHunterTeam discovered the suspicious APK, posing as a McAfee program, and warned about its stealthy nature against the great majority of anti-virus engines. Researchers at Cyble found this when they examined the new ‘Escobar’ strain of the Aberebot trojan. The same analyst disclosed that Aberebot initially surfaced in the wild in the summer of 2021. Therefore, the arrival of a new version signals ongoing development. 

Like other banking trojans, Escobar uses overlay login forms to hijack user interactions with e-banking websites and apps and steal victims’ credentials. Even if the overlay injections are stopped somehow, the malware has various other capabilities that make it effective against any Android version. The malware asks for a total of 25 rights, 15 of which are exploited maliciously. Everything the malware captures, including SMS call records, key logs, alerts, and Google Authenticator codes, is sent to the C2 server. 

It’s too soon to know how popular the new Escobar malware will be among cybercriminals, especially given its exorbitant price. Nonetheless, it has grown in strength to the point that it can now lure a larger audience. Furthermore, because of its operating paradigm, which allows random people to rent it, its distribution channels and techniques may vary significantly. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: