Android malware Escobar steals your Google Authenticator MFA codes

Android malware

The Aberebot Android banking trojan has returned under the name ‘Escobar’ with new features, including stealing Google Authenticator multi-factor authentication codes.

The new features in the latest Aberebot version also include taking over the infected Android devices with VNC, recording audio and taking photos, while also expanding the suite of targeted credential theft apps.

The main purpose of the trojan is to steal enough information to allow the threat actors to take over victims’ bank accounts, transfer available balances and carry out unauthorized transactions.

Renamed Escobar

Using KELA’s cyber-intelligence DARKBEAST platform, BleepingComputer found a forum post on a February 2022 Russian-speaking hacking forum where the developer of Aberebot is promoting their new version under the name “Escobar Bot Android Banking Trojan”.

Seller's post on a darknet forumSeller’s post on a darknet forum (KELA)

The malware author rents the beta version of the malware for $3,000 per month to up to five customers, with threat actors the opportunity to test the bot for three days for free.

The threat actor plans to increase the price of the malware to $5,000 after development is complete.

MalwareHunterTeam first spotted the suspicious APK on March 3, 2022, disguised as a McAfee app, and warned of its stealth from the vast majority of antivirus engines.

Potentially interesting, very low detected “McAfee9412.apk”: a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f
From: https://cdn.discordapp[.]com/attachments/900818589068689461/948690034867986462/McAfee9412.apk

— MalwareHunterTeam (@malwrhunterteam) March 3, 2022

This was picked up by researchers at Cyble, who conducted an analysis of the new ‘Escobar’ variant of the Aberebot trojan.

According to the same analysts, Aberebot first appeared in the wild in the summer of 2021, so the appearance of a new version indicates active development.

Old and new possibilities

Like most banking trojans, Escobar displays overlay login forms to hijack user interactions with e-banking apps and websites and steal victims’ login credentials.

The malware also includes several other features that make it powerful against any Android version, even if the overlay injections are somehow blocked.

The authors have expanded the set of target banks and financial institutions in the latest version to as many as 190 entities from 18 countries.

The malware requests 25 permissions, 15 of which are misused for malicious purposes. Examples include accessibility, audio recording, read SMS, read/write storage, get account list, disable key lock, make calls, and access exact device location.

Everything the malware collects is uploaded to the C2 server, including SMS call logs, key logs, notifications, and Google Authenticator codes.

Code to grab Google Authenticator codesCode to get hold of Google Authenticator codes (Cyble)

The above is enough to help the scammers overcome two-factor authentication hurdles when they take control of e-banking accounts.

2FA codes come in via SMS or are stored and rotated in HMAC software-based tools like Google’s Authenticator. The latter is considered more secure as it is not prone to SIM swap attacks, but it is still not protected against malware invading user space.

In addition, the addition of VNC Viewer, a cross-platform screen-sharing utility with remote control functions, gives threat actors a new powerful weapon to do what they want when the device is unattended.

VNC viewer code in AberebotVNC viewer code in Aberebot (Cyble)

Apart from the above, Aberebot can also record audio clips or take screenshots and exfiltrate both to the actor-driven C2, with the full list of supported commands below.

Table of Aberebot CommandsTable of Aberebot Accepted Commands (Cyble)

Do we have to worry?

It’s too early to say how popular the new Escobar malware will become in the cybercrime community, especially at a relatively high price. Still, it is now powerful enough to entice a wider audience.

Its operating model, which involves arbitrary actors who can rent it, also means that the distribution channels and methods can vary widely.

In general, you can minimize the chance of infection with Android Trojans by avoiding installing APKs outside of Google Play, using a mobile security tool, and ensuring that Google Play Protect is enabled on your device.

Additionally, when installing a new app from any source, keep an eye out for unusual requests for permissions and monitor the app’s battery and network usage statistics for the first few days to identify suspicious patterns.

This post Android malware Escobar steals your Google Authenticator MFA codes

was original published at “”