Escobar Android Malware

Escobar Android Malware Description

The Escobar Android malware is a powerful banking Trojan that boasts a significant set of intrusive and threatening features and capabilities. Furthermore, the threat continues to be under active development and could become even more invasive in the future. It should be noted that Escobar is not an entirely new malware strain. In fact, it appears to be a rebranding of a previously identified mobile banking Trojan known as Aberebot. It seems that after expanding the functionalities of Aberebot significantly, the developers of the threat decided to rebrand it.

Still in Development

The first signs of the Escobar Android malware can be traced back to a post on a Russian-speaking hacker forum from February 2022. The post detailed that Escobar is considered in the BETA phase of development. As such, its creators were willing to provide 5 customers with access to the threatening tool for $3000 per month. Candidates also were going to be able to test the Trojan for three days for free. Upon the full release of the threat, the price would be bumped up to $5000 per month. A month later, in March 2022, security researchers found the Escobar threat posing as a McAfee application.

Growing List of Functions

The Escobar banking Trojan utilizes overlay login forms to capture any user interactions with select banking applications and websites and collect the victim's credentials. So far, the malware is capable of targeting 190 different financial entities spread across 18 countries. In addition, by asking for a total of 25 permissions, Escobar can perform numerous other harmful actions on the breached devices.

The threat is capable of reading SMS, recording audio, taking arbitrary screenshots, making calls, accessing the device's geolocation, gathering call logs, key logs, notifications, and even Google Authenticator codes that are used in 2FA (two-factor authentication) by numerous services. All collected information is then exfiltrated to the Command-and-Control (C2, C&C) server of the operation. The developers of the Escobar Android malware are abusing VNC viewer, a utility for cross-platform screen sharing, to further expand their reach and the actions they can perform on the compromised device.