Android banking trojan returns in new avatar: All you need to know about Escobar

Aberebot Android trojan: The Aberebot Android trojan has returned in a new avatar, complete with a new name and a new feature. The banking virus or trojan has returned with the ability to now even steal multi-factor authentication codes from the Google Authenticator. Cyber security platform Cyble last week said that it had come across a tweet by researchers mentioning a malware “that has a name and icon similar to the legitimate anti-virus app, McAfee”.

Also read | Cops warn against The Kashmir Files download links on WhatsApp: Here’s why

It has corroborated that the malicious app was Escobar, which it found was a new variant of Aberebot banking trojan. “Besides stealing sensitive information such as login credentials using phishing overlays, Aberebot has also targeted customers of 140+ banks and financial institutions across 18 countries,” Cyble said in a statement.

The platform added that apart from the ability to steal data from Google Authenticator, the Escobar also had the ability to take control of the screens of an infected Android device using VNC, etc. The variant was named Escobar by the Threat Actors (TAs) – the individual(s) who created this malware – and its feature details were published in a cybercrime forum, the cyber security platform said.

The name and the logo of the app is similar to McAfee, which is a popular antivirus software. As per Cyble, the malware requests users to grant 25 permissions, and of those, it abuses 15. The permissions sought by Escobar trojan include SMS access, SMS interception, call log access, contacts access, access to information like phone number, device serial number, cellular network, status of outgoing calls, permission for audio recording, GPS location access, permission to send SMS via third-party application, permission to initiate phone call without user’s confirmation or knowledge, and permission to disable keylock as well as any associated password security, among others.

Cyble also found that the malware clicks pictures using the device camera, deletes files, and steals media files based on the commands it receives from the C&C server. Phone numbers and email addresses of victims are also stolen by it.

The C&C server can also command the trojan to kill itself.

The platform said that according to its research, the malware is being distributed via sources other than the Google Play Store, and hence, cyber hygiene must be practiced by users.