Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

What is Escobar malware?

Android users have this month been hit by Escobar, malicious software built to steal your personal data and online banking details while disguised as legitimate antivirus software.

It does this using a combination of remote control features, showing you fake bank login screens and capturing two-factor authentication tokens from SMS messages or the Google Authenticator 2FA app.

It can also record audio, take photos and screenshots, download your media, uninstall apps, send text messages, monitor your calls messages and notifications, disable your phone’s lock code, copy your contacts and steal application keys.

Spotted in the wild in early March by MalwareHunterTeam and documented in detail by threat intelligence firm Cybele, Escobar disguises itself as the McAfee Security app. It’s a trojan horse: a type of program that tricks the user into thinking it’s something else so that they install it and give it the permissions it needs to go about its nefarious business.

The app’s full name is com.escobar.pablo, named by its creators after the infamous Colombian terrorist and drug trafficker. It’s a version of the Aberebot banking trojan, which was first seen in the summer of 2021. Aberebot’s source code was put up for sale in November 2021, leading malware analysts to suggest that new variants would be on the way.

BleepingComputer found posts promoting a beta version of new Escobar variant on hacking forums in February 2020, available for other threat actors to rent at discounted price while it’s in development.

Escobar adds new features, most notably the ability to steal Google Authenticator codes an integrated VNC (Virtual Network Computing) viewer to watch and remotely control infected devices. The Google Authenticator code theft threat is particularly noteworthy, and puts more than just online banking accounts at risk.

Cybel researchers note that “these types of malware are only distributed via sources other than Google Play Store”. Transmission vectors for the older Aberebot banking trojan were third-party app stores and phishing campaigns . An example of such a campaign would be an SMS or email, perhaps pretending to be from a bank, inviting a user to install an app.

Kaspersky Home Security

Kaspersky Home Security

Keep your online activity safe and private across multiple devices – without compromising speed.

Check out Kaspersky’s new security plans from just £10.99 per year

  • Kaspersky
  • Money back guarantee
  • from ÂŁ10.99
Buy now


How can I tell if my phone is infected with Escobar?

If you’ve never downloaded any apps from disreputable third-party app stores or installed APKs (Android software) from anything other than the Google Play Store, you’re pretty certain not to be infected, as third-party APK installation is disabled by default and this malware has not been found on the Play Store to date. Make sure Google Play Protect app scanning is enabled.

How can I check for Escobar?

Scan your phone using a legitimate antivirus tool. MalwareBytes has confirmed that its free Android scanner can detect this malware.

How can I remove Escobar?

You should initially attempt removal using a reputable anti-malware tool. If this fails, back up your personal data but not your apps to Google and factory reset your phone.

What should I do if I suspect my banking data has been compromised?

Contact your bank immediately to report suspected fraud.

Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.

Trusted Reviews Logo

Sign up to our newsletter

Get the best of Trusted Reviews delivered right to your inbox.

This is a test error message with some extra words