Android

Android malware Escobar caught stealing Google Authenticator codes

A revised version of the Aberebot banking malware has appeared on the dark web, infecting Android smartphones. Now marketed as “Escobar”, the Trojan has learned a few tricks to avoid detection. That reports that Bleeping Computer Online Magazine is a classic banking Trojan that specializes in Android users disguised as a McAfee app. Malware-Hunter experts first discovered the suspicious APK in early March 2022 and warned that most antivirus programs don’t recognize the app as malware.

The Trojan currently in circulation is called “Escobar” and is a further development of “Aberebot”. Bleeping Computer unearthed more information while investigating the Trojan. Among other things, they discovered an offer from the malware developer on a Darknet forum. It rents the beta version of the malware to up to five customers for $3,000 per month, with cybercriminals able to try the bot for three days for free. Infographic: These are the most successful subject lines in phishing

Hackers empty accounts via bank transfer

Like most banking Trojans, Escobar displays overlay login forms to hijack user interactions with e-banking apps and websites and steal victims’ login credentials. The main purpose of the Trojan is to steal enough information to allow the threat actors to take over victims’ bank accounts and transfer available funds. Escobar excels at using tricks not only to steal data but also to evade detection and reassure those affected. The malware asks for 25 different permissions, more than half of which are misused for malicious purposes, including recording audio, reading SMS, reading/writing storage, viewing account lists, disabling keylock, making calls, and accessing the device’s location.

Everything the malware collects is sent, including SMS call logs, key logs, notifications, and Google Authenticator codes. With access to SMS and Google Authenticator, the criminals can then bypass any two-factor authentication and easily take control of e-banking to empty accounts via wire transfer. New features of the Trojan include taking over the infected Android devices using VNC, recording audio and taking pictures, and expanding the credentials stealing target applications. It’s too early to say how popular the new Escobar malware will become.

When downloading apps, users should always ensure that they only use trusted sources. Beware of unusual permission requests after installation and check the app’s battery and network usage statistics to spot suspicious patterns. In addition, Google Play Protect must be activated on the device.