Android Banking Trojan Escobar Steals Google MFA Codes

What was once called AbereBot, an Android banking trojan, has returned with a new version going by the name Escobar. The new variant is capable of stealing Google AUthenticator Multi-Factor Authentication (MFA) codes meaning the attacker could bypass this layer of security when looking to steal credentials that could aid in the committing of bank fraud.

Along with several other features, Escobar can steal enough personally identifiable information from an Android user’s device that the victim’s bank accounts can be accessed and funds stolen from the now compromised account.

escobar android trojan steals google mfa codes

Researchers became aware of the new variant when the developer linked to AbereBot began advertising the Escobar variant on a Russian underground hacking forum. It would appear that the developer is looking to develop Escobar as a malware-as-a-service and will be charging 3000 USD per month for those looking to use the malware. From the advert, it is clear that the banking trojan is still under development as the developer will look to charge 5000 USD a month once the development is complete.

The initial discovery was made by Malware Hunter Team, who posted on Twitter on March 3, 2022, that they had detected a suspicious Android Package (APK) masquerading as a McAfee security product. At the time of detection Virus Total only detected it as malware on three of the 60 odd malware engines used by anti-virus vendors.

Feature Rich

Following the initial discovery security firm, Cyble began to analyze a sample of the malware and subsequently published an article detailing their findings. As to the malware capabilities, they are a mix of old and new as well as some staples of banking trojans like Cerebus we have seen in the past. Cyble noted that the malware will request the user to approve 25 permissions, 15 of them malicious that enable the banking trojans information-stealing capabilities. These malicious permissions include:

  • READ_SMS: This allows access to SMSes from the victim’s device.
  • RECEIVE_SMS: Intercepts SMSes received on the victim’s device
  • READ_CALL_LOG: Accesses Call Logs
  • READ_CONTACTS: Accesses phone contacts
  • READ_PHONE_STATE: This allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
  • RECORD_AUDIO: This allows the app to record audio with the microphone, which has the potential to be misused by attackers.
  • ACCESS_COARSE_LOCATION: This allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi.
  • ACCESS_FINE_LOCATION: This allows for the device’s precise location to be detected by using the Global Positioning System (GPS).
  • SEND_SMS: This allows for an application to send SMS messages.
  • CALL_PHONE: This allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
  • WRITE_EXTERNAL_STORAGE: This allows an application to write or delete files in the device’s external storage.
  • READ_EXTERNAL_STORAGE: This allows the application to read the contents of the device’s external storage.
  • WRITE_SMS: This allows the app to modify or delete SMSes.
  • GET_ACCOUNTS: This allows the applications to generate a list of all the accounts used by the user on the compromised device.
  • DISABLE_KEYGUARD: This allows the app to disable the keylock and any associated password security.

Escobar like many other banking trojans makes use of overlays to steal information. What separates Escobar from other banking trojans is that it can be weaponized against any Android version, even if the overlay injections are blocked by a security app for example. Further, the latest version can target 190 banks and financial institutions from 18 countries in the latest version.

The most worrying feature of Escobar is its ability to collect Google Authenticator MFA codes. The codes are collected and then can be sent along with SMSes, call logs, and key logs to the attacker’s command and control server.

It is important to note that apps like Google Authenticator are proof against SIM swapping attacks but when the device is compromised by an attacker as in the case of a banking trojan infection, the codes sent by SMS can be intercepted.

The ability to intercept MFA codes is further supplemented by the addition of VNC Viewer, a cross-platform screen sharing utility with remote control features. This gives the threat actors a new powerful weapon to do whatever they want when the device is unattended.

Given that Escobar is still under development and the financial barrier to entry for the malware is rather high it is hard to guess the impact of the malware in the near future.

However, given its features and its capability to bypass blocks on overlays the malware does demand the attention of the InfoSec community at large. To help prevent infection by Escobar and other known banking trojans, Cyble advises the following:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal