The dangerous Escobar malware’s key capabilities are being modified dynamically. It was originally an old banking trojan called Aberebot that has now been modified into the deadly Escobar malware that has been reported from over 119 countries so far. Its most deadly feature is the ability to strike at the heart of user authentication with the diversion of multi-factor authentication codes and theft of login credentials and personal data.
The new variant has been peddled under the guise of an anti-virus application (it even has the same icon). However, unlike the original anti-virus app, the fake version is not available on Playstore. It has to be downloaded from third-party sites to which unsuspecting users are lured by hackers.
Once installed, the Escobar malware asks for as many as 26 permissions and captures your personal information through fake login screens, by capturing and rerouting two-factor authentication tokens or one-time passwords from banks or the Google Authenticator 2FA app.
It doesn’t stop there. It can also take pictures, copy and transmit your media files, take pictures, install and uninstall apps, monitor your online activity, track phone calls and messages, copy contact information, modify app information, steal keys, and even copy chat information. Since it masquerades as a genuine anti-virus application, users may be tricked into ignoring red flags or any signs of infection that they may come across.
Escobar represents a new breed of malware that strikes at multi-factor authentication enablement means. While the mode of deploying it is quite simple, what it does post-installation is not. The malware takes over the victim’s phone completely and if they are using the same phone for official work as well, then chances of an enterprise-level breach could also arise.
Why should we worry about this new variant of Aberebot(Escobar)?
- Twin-factor authentication is being touted as a strong measure to keep users safe from breaches and cyberattacks but with the emergence of such malware, even this frontier could be breached
- Sectrio’s researchers have identified at least one variant which is now masquerading as a popular gaming app. This means that the hackers are already working on making more fake apps to trick users
- The activity footprint of this malware is significant yet, on popular versions of Android phones, it doesn’t create a lag or delay in any form that may alert users about a suspicious app running in the background. Escobar is sequencing its activities to prevent becoming a bandwidth and memory guzzling application
- The malware is based on a multi-level deception. Level one is that of an anti-virus application, level two involves routing victims to fake sites, level 3 involves preventing screen lock and other mechanisms, level 4 involves exfiltration of data to enable hackers to target non-banking sites connected with the victim.
- Sectrio’s researchers have come across sites that are offering this malware for rent for anywhere between 500 USD (low grade with simple functions) to USD 4500 (all functions and a guarantee on performance) per month
Escobar could potentially be used to target enterprises and government agencies from here on. Considering the breadth of its functions, it could potentially turn into a tool for corporate espionage, blackmail, or even theft and sale of financial data.
The only way to stay safe from this malware is by downloading apps only from the Google Play Store.
Join our upcoming webinar: Key Takeaways from the Sectrio’s Global Threat Landscape Assessment Report 2022
IoT and OT focused threat Intelligence feeds free for 15 days! Try it right now: Threat Intelligence
We also have the right cybersecurity solutions for your critical infrastructure. Allow us to give you a sneak preview of its capabilities through a no-obligation demo.