Android users have this month been hit by Escobar, malicious software built to steal your personal data and online banking details while disguised as legitimate antivirus software.
It does this using a combination of remote control features, showing you fake bank login screens and capturing two-factor authentication tokens from SMS messages or the Google Authenticator 2FA app.
It can also record audio, take photos and screenshots, download your media, uninstall apps, send text messages, monitor your calls messages and notifications, disable your phone’s lock code, copy your contacts and steal application keys.
Spotted in the wild in early March by MalwareHunterTeam and documented in detail by threat intelligence firm Cybele, Escobar disguises itself as the McAfee Security app. It’s a trojan horse: a type of program that tricks the user into thinking it’s something else so that they install it and give it the permissions it needs to go about its nefarious business.
The app’s full name is com.escobar.pablo, named by its creators after the infamous Colombian terrorist and drug trafficker. It’s a version of the Aberebot banking trojan, which was first seen in the summer of 2021. Aberebot’s source code was put up for sale in November 2021, leading malware analysts to suggest that new variants would be on the way.
BleepingComputer found posts promoting a beta version of new Escobar variant on hacking forums in February 2020, available for other threat actors to rent at discounted price while it’s in development.
Escobar adds new features, most notably the ability to steal Google Authenticator codes an integrated VNC (Virtual Network Computing) viewer to watch and remotely control infected devices. The Google Authenticator code…