An old Android malware, Aberebot, has reappeared in the cyberthreat landscape with a new name called Escobar, empowered with new features in executing attacks, such as stealing Google Authenticator MFA codes from targeted victims.
Additionally, the new Android banking trojan can also take control of the infected devices via remote access software, take photos, record audios, and target the installed applications in it to steal sensitive data. After gathering all the victims’ data, the threat actors will enter bank accounts, empty any money they can steal, and perform unauthorized transactions.
Cybersecurity researchers have found a post on a Russian-based dark web forum last February 2022 wherein the developers of the Escobar Android malware have been actively promoting the latest version of the banking trojan under the new name.
For about $3,000 a month, the Android malware is available for rent in its beta version for five customers maximum. This offer also includes three-day free testing of the bot for its clients. Once the malware development is complete, its owners plan to raise the price to about $5,000.00.
First discovered as a fake McAfee application, experts have warned users about the capability of the Escobar Android malware to bypass several anti-virus software.
After first spotting the malware, experts have analysed the new malware variant. Based on the analysis, the banking trojan displays an overlay login form where the victims can input their sensitive credentials and be hijacked by threat actors.
Furthermore, experts added that the new banking trojan has an expanded set of targeted financial institutions, which makes it more unsafe than any other malware. Upon being installed, the malware will request 25 permissions in the device, with 15 of it used in malicious activities.
As the malware collects all the victims’ data, such as the Google MFA codes, SMS and call logs, contacts list, and more, it will be uploaded to its C2 server. The Escobar Android malware can also record and listen to audio clips and take screenshots on the device.
With the new trojan variant’s capabilities, experts expect it to attract many threat actors and execute it onto their victims. To avoid being victimised, it is highly advised not to install any suspicious APKs of applications from third-party sites and instead stick to those with helpful reviews found in the Google Play Store.
Everyone is reminded that upon installing any application on your Android device, make sure to review all the permissions being asked by the app and monitor if there are any suspicious patterns in the first few days.