This Escobar variant can steal banking credentials through overlay login forms, take screenshots, and record audio. This trojan is so sophisticated that it can steal MFA codes and even remotely control the victim’s device through VNC integration.
Escobar Banking Trojan in Wild
As per reports, the new Escobar malware is the second edition of Aberebot, which first appeared in the summer of last year. Later, the MalwareHunter team found this Escobar Bot Android Banking Trojan lurking around as the McAfee app. BleepingComputer found that a seller in a Russian forum is selling the Escobar bot beta version for $3,000 and later at $5,000. This can do a wide range of activities like stealing credentials, taking screenshots and even controlling a device remotely!
— MalwareHunterTeam (@malwrhunterteam) March 3, 2022 Escobar starts its operations like any other banking trojan through overlay login forms. All the details logged in will then be stolen and transported to the hacker’s server. The list of banks and financial institutions Escobar targets has increased to a whopping 190 entities from 18 countries. Masquerading as a legitimate app, Escobar trojan asks for over 25 permissions, where 15 of them were abused for malicious purposes. Some permissions include accessibility, audio record, read SMS, read/ write storage, get account list, disabling the keylock, making calls, and accessing precise device location. Researchers noted that Escobar could even steal the MFA codes from apps like Google Authenticator and send them to hackers’ C2 server. Also, with VNC Viewer’s support, it gains remote control features to do almost anything the hackers desire. Since it’s so sophisticated, researchers warned people to be vigilant and watch their device’s performance closely when running any suspicious app. Also, they recommend not installing apps from outside sources.