Android users have this month been hit by Escobar, malicious software built to steal your personal data and online banking details while disguised as legitimate antivirus software.
It does this using a combination of remote control features, showing you fake bank login screens and capturing two-factor authentication tokens from SMS messages or the Google Authenticator 2FA app.
It can also record audio, take photos and screenshots, download your media, uninstall apps, send text messages, monitor your calls messages and notifications, disable your phone’s lock code, copy your contacts and steal application keys.
Spotted in the wild in early March by MalwareHunterTeam and documented in detail by threat intelligence firm Cybele, Escobar disguises itself as the McAfee Security app. It’s a trojan horse: a type of program that tricks the user into thinking it’s something else so that they install it and give it the permissions it needs to go about its nefarious business.
The app’s full name is com.escobar.pablo, named by its creators after the infamous Colombian terrorist and drug trafficker. It’s a version of the Aberebot banking trojan, which was first seen in the summer of 2021. Aberebot’s source code was put up for sale in November 2021, leading malware analysts to suggest that new variants would be on the way.
BleepingComputer found posts promoting a beta version of new Escobar variant on hacking forums in February 2020, available for other threat actors to rent at discounted price while it’s in development.
Escobar adds new features, most notably the ability to steal Google Authenticator codes an integrated VNC (Virtual Network Computing) viewer to watch and remotely control infected devices. The Google Authenticator code theft threat is particularly noteworthy, and puts more than just online banking accounts at risk.
Cybel researchers note that “these types of malware are only distributed via sources other than Google Play Store”. Transmission vectors for the older Aberebot banking trojan were third-party app stores and phishing campaigns . An example of such a campaign would be an SMS or email, perhaps pretending to be from a bank, inviting a user to install an app.
Kaspersky Anti-Virus – Now 50% off
Essential Virus Protection
Our 5-star rated anti-virus blocks malware and viruses in real time and stops hackers, now 50% off at just £12.49 per year
- 50% off
- £12.49 per year
If you’ve never downloaded any apps from disreputable third-party app stores or installed APKs (Android software) from anything other than the Google Play Store, you’re pretty certain not to be infected, as third-party APK installation is disabled by default and this malware has not been found on the Play Store to date. Make sure Google Play Protect app scanning is enabled.
Scan your phone using a legitimate antivirus tool. MalwareBytes has confirmed that its free Android scanner can detect this malware.
You should initially attempt removal using a reputable anti-malware tool. If this fails, back up your personal data purpose not your apps to Google and factory reset your phone.
Contact your bank immediately to report suspected fraud.