Android Malware Escobar

The cybersecurity analysts at Cyble security firm have recently detected a new Android malware, dubbed as “Escobar.” This malware steals Google Authenticator multi-factor authentication codes, and this malware is the remake of the Aberebot Android banking trojan.

This new version of Aberebot  Android banking trojan has been detected with a name and icon similar to the legitimate anti-virus app McAfee, and it enables its operators to perform the following tasks:-

  • Using VNC take control of the infected Android devices.
  • Recording audio
  • Taking photos
  • For credential theft, expand the set of targeted apps.

In short, the primary motto of this Escobar malware is to allow the threat actors to steal the following data of their victims:-

  • Steal banking credentials.
  • Take over victims’ bank accounts.
  • Siphon available balances.
  • Perform unauthorized transactions.

Moreover, in 18 countries, Aberebot banking trojan has targeted the users of more than 140 banks and financial institutions. While in a cybercrime forum, the threat actors have published the feature details of Escobar.

APK Metadata Info

Here below, we have mentioned all the key details of the APK metadata:-

  • App Name:  [McAfee]
  • Package Name: com.escobar[.]pablo
  • SHA256 Hash: a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f

Permissions Requested

In total, 25 different permissions were requested by the malware, and among those 25 permissions, it exploit only 15. Here below, we have mentioned all the requested permissions below:-

  • READ_SMS: Access SMSes from the victim’s device.
  • RECEIVE_SMS: Intercept SMSes received on the victim’s device
  • READ_CALL_LOG: Access Call Logs
  • READ_CONTACTS: Access phone contacts
  • READ_PHONE_STATE: Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
  • RECORD_AUDIO: Allows the app to record audio with the microphone, which has the potential to be misused by attackers
  • ACCESS_COARSE_LOCATION: Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi.
  • ACCESS_FINE_LOCATION: Allows the device’s precise location to be detected by using the Global Positioning System (GPS).
  • SEND_SMS: Allows an application to send SMS messages.
  • CALL_PHONE: Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
  • WRITE_EXTERNAL_STORAGE: Allows the app to write or delete files in the device’s external storage
  • READ_EXTERNAL_STORAGE: Allows the app to read the contents of the device’s external storage
  • WRITE_SMS: Allows the app to modify or delete SMSes
  • GET_ACCOUNTS: Allows the app to get the list of accounts used by the phone
  • DISABLE_KEYGUARD: Allows the app to disable the keylock and any associated password security

While it has been claimed that the beta version of this malware has been priced at $3,000, and the operators of this malware have also claimed that the final version of this malware will be priced at $5,000.

At this moment, the beta version is allotted to five maximum customers only per month, and not only that, even they are also providing the ability to test the bot for free (3 days only).

Commands Used

Here below we have mentioned all the commands used by the threat actors to control the infected device:-

  • Take Photo
  • Send SMS
  • Send SMS to All Contacts
  • Inject a web page
  • Download File
  • Kill Bot
  • Uninstall an app
  • Record Audio
  • Get Google Authenticator Codes
  • Start VNC


With every passing day, the banking threats are increasing and rapidly growing in sophistication. That’s why to mitigate such security threats, cybersecurity experts have recommended some mitigations, and here they are:-

  • Download applications from the official app stores only.
  • Always use a robust AV tool.
  • Make sure to enable two-factor authentication.
  • Enable biometric security features.
  • Do not open any suspicious links received via SMS and emails.
  • Make sure to enable Google Play Protect.
  • Always keep your Android device and installed apps updated.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.