Android banking trojan Aberebot returns as Escobar malware

Aberebot Android banking trojan is back under a new name Escobar. The new Escobar malware is an Android banking trojan that aims to steal information that would allow the malware operators to access bank accounts and steal money. However, judging by the malware author’s posts on a hacker forum, it seems the malware is still in the testing phase as the author is offering a BETA version. Nonetheless, it appears that the Android malware will be a dangerous piece of malicious software, though how widespread it will become is not certain.

 

 

It appears that Escobar malware is still in its testing phase, as BleepingComputer has uncovered a post on a Russian-speaking hacker forum offering cybercriminals to rent a BETA version of the malware for cheaper. Criminals can rent the BETA version for $3000/month but the price will go up to $5000/month once bugs are patched and the malware is complete. The fact that Escobar malware is up for rent means that it will be distributed in many different ways as different cybercrime gangs prefer different spread methods and have access to different resources. But it’s unlikely that Escobar malware or its distribution will be anything groundbreaking. As long as users follow the usual advice, they should be able to avoid infection. That includes only downloading apps from the Google Play Store, not clicking on unknown links, researching apps and developers before downloading/installing, carefully reviewing app permissions, and having a reliable security tool installed on the device.

What does Escobar Malware (Android) do?

The malware is a banking trojan so its primary focus is online bank logins and other important credentials. It uses the typical banking trojan tactics to essentially phish users. The app requests 25 permissions overall when installed on an Android device, including audio recording, access to SMS, storage read/write, device location, keylock disabling, and more.

The way Escobar malware works is it displays fake overlay login forms when users try to log in to their online banking accounts. When users open, for example, their bank’s login page, the malware displays a fake page over it. If users type in their login credentials, they are immediately uploaded onto a C2 server. And since the malware has access to SMS, it can get the two-factor authentication codes that would allow it to bypass this additional security measure. If malware operators get access to this information, it could allow them to access bank accounts and make unauthorized transactions. Escobar malware also has the ability to essentially give malware operators full control of an unattended device. It can also take screenshots, download files, record audio, uninstall itself, access Google Authenticator codes, send SMS, and much more.

When Escobar malware is fully released, it will likely be a very dangerous piece of malicious software but how widespread it will be only time will tell. But as we said already, users should be able to avoid infection if they’re careful about where they download their apps from. While some malicious apps are able to bypass Google Play Store’s security measures, it’s still much safer to only download apps from it, especially compared to questionable third-party app stores that are poorly regulated.