Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission.Learn more.

What is Escobar malware?

In This Article

In This Article

Android users have this month been hit by Escobar, malicious software built to steal your personal data and online banking details while disguised as legitimate antivirus software.It does this using a combination of remote control features, showing you fake bank login screens and capturingtwo-factor authenticationtokens from SMS messages or the Google Authenticator 2FA app.

It can also record audio, take photos and screenshots, download your media, uninstall apps, send text messages, monitor your calls messages and notifications, disable your phone’s lock code, copy your contacts and steal application keys.

Possible interesting, very low detected “McAfee9412.apk”: a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459fFrom: https://cdn.discordapp[.]com/attachments/900818589068689461/948690034867986462/McAfee9412.apk"com.escobar.pablo"😂pic.twitter.com/QR89LV4jat

Spotted in the wild inearly Marchby MalwareHunterTeam anddocumented in detailby threat intelligence firm Cybele, Escobar disguises itself as the McAfee Security app. It’s a trojan horse: a type of program that tricks the user into thinking it’s something else so that they install it and give it the permissions it needs to go about its nefarious business.

The app’s full name is com.escobar.pablo, named by its creators after the infamous Colombian terrorist and drug trafficker. It’s a version of the Aberebot banking trojan, which wasfirst seenin the summer of 2021. Aberebot’s source code wasput up for salein November 2021, leading malware analysts to suggest that new variants would be on the way.

BleepingComputerfound posts promoting a beta version of new Escobar variant on hacking forums in February 2020, available for other threat actors to rent at discounted price while it’s in development.

Escobar adds new features, most notably the ability to steal Google Authenticator codes an integrated VNC (Virtual Network Computing) viewer to watch and remotely control infected devices. The Google Authenticator code theft threat is particularly noteworthy, and puts more than just online banking accounts at risk.

Cybel researchers note that “these types of malware are only distributed via sources other than Google Play Store”. Transmission vectors for the older Aberebot banking trojan were third-party app stores and phishing campaigns . An example of such a campaign would be an SMS or email, perhaps pretending to be from a bank, inviting a user to install an app.

Kaspersky Home Security

Keep your online activity safe and private across multiple devices – without compromising speed.

Check out Kaspersky’s new security plans from just £10.99 per year

FAQs

FAQs

If you’ve never downloaded any apps from disreputable third-party app stores or installed APKs (Android software) from anything other than the Google Play Store, you’re pretty certain not to be infected, as third-party APK installation is disabled by default and this malware has not been found on the Play Store to date. Make sureGoogle Play Protectapp scanning is enabled.

Scan your phone using a legitimate antivirus tool. MalwareBytes hasconfirmedthat itsfree Android scannercan detect this malware.

You should initially attempt removal using a reputable anti-malware tool. If this fails,back upyour personal data butnotyour apps to Google and factory reset your phone.

Contact your bank immediately to report suspected fraud.

K.G. Orphanides is a writer and developer whose areas of expertise include internet security, VPNs, Linux for the desktop, small-scale game development, software preservation and computer audio techno…

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.

Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.