Escobar Android Malware Targets Google Authenticator Codes

Cybersecurity experts have warned that the Aberebot banking trojan for Android has resurfaced under the new name Escobar, now equipped with additional features, including the ability to steal codes from the Google Authenticator app. According to a report by Bleeping Computer, security researchers discovered that in February 2022, the developer of Aberebot began promoting the Escobar malware on a Russian-language hacking forum.

The threat actor announced that they would rent out the beta version of the malware for $3,000 per month to a maximum of five clients, with a free three-day trial available. The author also plans to raise the price to $5,000 after development is complete.

The malicious APK associated with Escobar was first detected by MalwareHunterTeam on March 3, 2022. The banking trojan disguised itself as a McAfee app and successfully evaded detection by most antivirus programs. Experts from Cyble analyzed this new variant of Aberebot and shared their findings.

How Escobar Works and Its Capabilities

Like most banking trojans, Escobar displays malicious overlays on top of financial apps and banking websites to steal victims’ login credentials. Its list of targeted banks and financial institutions includes 190 organizations across 18 countries. The malware also boasts several other features that make it effective on any version of Android, even if overlays fail to work.

Escobar requests 25 permissions from its victims, 15 of which are used for criminal purposes. These include access to Accessibility services, audio recording, reading SMS messages, reading and writing to storage, retrieving account lists, disabling the lock screen, making calls, and accessing location data.

All collected data is sent to the malware’s command-and-control server, including SMS and call logs, keylogging data, notifications, and multi-factor authentication codes from the Google Authenticator app.

Bypassing Two-Factor Authentication

With this information, hackers can often bypass two-factor authentication (2FA) and gain control over a victim’s finances. Typically, 2FA codes are sent via SMS or generated by HMAC-based tools like Google Authenticator. While Google Authenticator is considered more secure than SMS (as it is not vulnerable to SIM-swapping attacks), the app remains susceptible to malware that infiltrates user devices. Security experts have previously criticized Google Authenticator for its lack of robust protection against such threats.