New Android Malware Detected to Hijack Google Authenticator MFA Tokens: “Escobar”

Security researchers have detected that the Aberebot Android banking trojan has been redistributed under the name ‘Escobar’ with new features added, including the hijacking of Google Authenticator multi-factor authentication (MFA) codes. Furthermore, it has been observed that the features added to the Aberebot malware developed to take control of infected Android devices via VNC, record audio, take pictures, and capture identity information, are also found in the newly detected Escobar variant. The ultimate goal of this malware is to gather the information that would allow threat actors to hijack targets’ bank accounts and perform unauthorized transactions.

Escobar malware is distributed to target systems as a fake McAfee Anti-Virus application. The malicious application downloaded to the user device requests 25 different permissions, which is 15 abused. It has been observed that if users approve the requested permissions, the malware gains access to the user’s contact directory, SMS, call logs, and sensitive data such as device location. In addition, the malware comes with the features of deleting files, sending SMS, making calls, and controlling the device camera via commands received from the C&C server, the ability to record calls and voice.

Threats targeting the banking sector are increasing and developing day by day. It is observed that Escobar and similar software are often distributed through unofficial sources such as forums. For this reason, it is recommended that Android users download their applications from official and reliable sources, pay attention to the permissions requested by applications and enable multi-factor authentication (MFA) features not to be exposed to similar malware campaigns. In addition, it is recommended to use reliable Anti-Virus / Anti-Malware solutions and prevent IoC findings related to the malware in question from the security solutions in use.