Android Escobar malware steals your Google Authenticator MFA codes

The Aberebot Android banking trojan is back as “Escobar” with new features, including stealing Google Authenticator multi-factor authentication codes.

New features in the latest version of Aberebot also include taking control of infected Android devices using VNC, recording audio and taking photos, while expanding the set of applications targeted for theft. credentials.

The Trojan’s main goal is to steal enough information to allow hackers to take control of victims’ bank accounts, siphon off available balances, and perform unauthorized transactions.

Renamed Escobar

Using KELA’s DARKBEAST cyber-intelligence platform, BleepingComputer found a post on a February 2022 Russian-speaking hacking forum where developer Aberebot is promoting its new version as “Escobar Bot Android Banking Trojan” .

Message from the seller on a darknet forum
Message from the seller on a darknet forum (KELA)

The malware author rents the beta version of the malware for $3,000 per month to up to five customers, with threat actors being able to test the bot for free for three days.

The threat actor plans to increase the price of the malware to $5,000 once development is complete.

MalwareHunterTeam first spotted the suspicious APK on March 3, 2022, disguised as a McAfee application, and warned of its stealthiness against the vast majority of antivirus engines.

This was picked up by researchers at Cyble, who performed an analysis of the new “Escobar” variant of the Aberebot Trojan.

According to the same analysts, Aberebot first appeared in the wild in the summer of 2021, so the appearance of a new version indicates active development.

Old and new abilities

Like most banking Trojans, Escobar displays overlaid login forms to hijack user interactions with online banking apps and websites and steal victims’ credentials.

The malware also contains several other features that make it powerful against any version of Android, even if overlay injections are somehow blocked.

The authors expanded the set of targeted banks and financial institutions to 190 entities from 18 countries in the latest version.

The malware asks for 25 permissions, 15 of which are used for malicious purposes. Examples include accessibility, audio recording, reading SMS, read/write storage, getting account list, disabling key lock, calls and location access accuracy of the device.

Everything the malware collects is uploaded to the C2 server, including SMS call logs, key logs, notifications, and Google Authenticator codes.

Code to retrieve Google Authenticator codes
Code to retrieve Google Authenticator codes (Cyble)

The above is enough to help scammers overcome two-factor authentication hurdles when taking control of online bank accounts.

2FA codes arrive via SMS or are stored and rotated in HMAC software tools such as Google’s Authenticator. The latter is considered more secure as it is not susceptible to SIM card swapping attacks, but it is still not protected against malware infiltrating the user space.

Additionally, the addition of VNC Viewer, a cross-platform screen sharing utility with remote control capabilities, gives hackers a powerful new weapon to do whatever they want when the device is unattended.

VNC viewer code in Aberebot
VNC viewer code in Aberebot (Cyble)

Besides the above, Aberebot can also record audio clips or take screenshots and exfiltrate both to the actor-controlled C2, with the full list of supported commands listed below.

Aberebot Command Table
Table of commands accepted by Aberebot (Cyble)

Should we be worried?

It is still too early to tell how popular the new Escobar malware will become in the cybercriminal community, especially at a relatively high price. Nevertheless, it is now powerful enough to attract a wider audience.

Moreover, its operating model, which involves random players who can hire it, means that its distribution channels and methods can be very different.

In general, you can minimize the risk of being infected with Android Trojans by avoiding installation of APKs outside of Google Play, using a mobile security tool, and ensuring that Google Play Protect is enabled on your device.

Also, when installing a new app from any source, watch out for unusual permission requests and monitor the app’s battery and network consumption statistics for the first few days. to identify any suspicious patterns.

About Marion Browning

Check Also

Cross-platform messaging scam makes a comeback on social media :: WRAL.com

By Donna Natosi, WRAL Editor-in-Chief What’s old is new again in a resurgent social media …