What is Escobar malware?

Android users have this month been hit by Escobar, malicious software built to steal your personal data and online banking details while disguised as legitimate antivirus software.

It does this using a combination of remote control features, showing you fake bank login screens and capturing two-factor authentication tokens from SMS messages or the Google Authenticator 2FA app.

It can also record audio, take photos and screenshots, download your media, uninstall apps, send text messages, monitor your calls messages and notifications, disable your phone’s lock code, copy your contacts and steal application keys.

Possible interesting, very low detected "McAfee9412.apk": a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f
From: https://cdn.discordapp[.]com/attachments/900818589068689461/948690034867986462/McAfee9412.apk
"com.escobar.pablo"
😂 pic.twitter.com/QR89LV4jat

— MalwareHunterTeam (@malwrhunterteam) March 3, 2022

Spotted in the wild in early March by MalwareHunterTeam and documented in detail by threat intelligence firm Cybele, Escobar disguises itself as the McAfee Security app. It’s a trojan horse: a type of program that tricks the user into thinking it’s something else so that they install it and give it the permissions it needs to go about its nefarious business.

The app’s full name is com.escobar.pablo, named by its creators after the infamous Colombian terrorist and drug trafficker. It’s a version of the Aberebot banking trojan, which was first seen in the summer of 2021. Aberebot’s source code was put up for sale in November 2021, leading malware analysts to suggest that new variants would be on the way.

BleepingComputer found posts promoting a beta version of new Escobar variant on hacking forums in February 2020, available for other threat actors to rent at discounted price while it’s in development.

Escobar adds new features, most notably the ability to steal Google Authenticator codes an integrated VNC (Virtual Network Computing) viewer to watch and remotely control infected devices. The Google Authenticator code theft threat is particularly noteworthy, and puts more than just online banking accounts at risk.

Cybel researchers note that “these types of malware are only distributed via sources other than Google Play Store”. Transmission vectors for the older Aberebot banking trojan were third-party app stores and phishing campaigns . An example of such a campaign would be an SMS or email, perhaps pretending to be from a bank, inviting a user to install an app.