Escobar is the new Android banking Trojan we’ve met before

Aberebot, a known Android banking Trojan, has changed its name and returned loaded with new features. First spotted by @MalwareHunterTeam in early March, this mobile variant was renamed “Escobar”—a homage to the Colombian drug baron—and disguised itself as a McAfee app. It went by the package name of com.escobar.pablo and the application name of “McAfee”.

Possible interesting, very low detected "McAfee9412.apk": a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f
From: https://cdn.discordapp[.]com/attachments/900818589068689461/948690034867986462/McAfee9412.apk
"com.escobar.pablo"
pic.twitter.com/QR89LV4jat

— MalwareHunterTeam (@malwrhunterteam) March 3, 2022

BleepingComputer found a post on a Russian-speaking hacking forum that says Escobar’s creators are renting the beta version of the malware for $3,000 a month and plan to increase it to $5,000 once development is finished:

Hello dear {redacted}. I came to this group with an advice and recommendation of a friend. I am an Android malware developer and I want to start renting my private Android banking bot here. The bot is still in BETA version and it is possible to encounter errors and bugs so for this month I will rent the bot to maximum 5 customers.

This new Aberebot variant widens its information-stealing capabilities by accessing features built-in to smartphones to get as much information as it can, to take complete control of victim accounts, empty accounts, and perform unauthorized transactions.

Among the 25 permissions it asks from users, it abuses 15, enabling the malware to (among other things) record audio, read and send SMS messages, take screenshots, uninstall apps, get the precise location of device, and download media files from victims’ devices.

Escobar can steal Google Authenticator multi-factor authentication (MFA) codes, SMS call logs, key logs, and notifications, which it sends to its C2 server.

Lastly, Escobar gives device control to affiliate malware distributors using VNC Viewer, a screen-sharing tool with remote control features. Once the phone is unattended, threat actors can, essentially, do what they want with the device.

Cyble, the cybersecurity company that wrote extensively about Aberebot and Escobar, asserts that highly sophisticated malware like Escobar can only be distributed from sources outside the Google Play Store.

Google Play is far from perfect, but the best way to minimize the chance of becoming infected with Escobar is to stick to downloading apps from there. Android users should also enable Google Play Protect on their device, and use a mobile security solution.

Malwarebytes users are already protected from Escobar. We detect it as Android/Trojan.BankBot.Esco.c.

Stay safe!

The post Escobar is the new Android banking Trojan we’ve met before appeared first on Malwarebytes Labs.

Article Link: Escobar is the new Android banking Trojan we've met before